diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
index fb18ae50aa..194bba2595 100644
--- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Control Panel Items, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Linux Bash Reverse Shell, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Pandemic Windows Implant, Rclone Process, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Control Panel Items, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Suspicious Taskkill Command, Equation Group DLL_U Load"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Socat Reverse Shell Detection, FromBase64String Command Line, Lazarus Loaders, Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Mimikatz Basic Commands, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Rclone Process, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
index 7c40b28490..f82df26e6e 100644
--- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Aspnet Compiler, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Powershell Web Request, Malspam Execution Registering Malicious DLL, Python Offensive Tools and Packages"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Many Downloads From Several Binaries, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, SSH X11 Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Tunnel Traffic, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Credentials Extraction, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Active Directory Data Export Using Csvde, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Linux Binary Masquerading"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Remote File Copy, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Credentials Extraction, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1620", "score": 100, "comment": "Rules: Linux Fileless Execution"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Sysprep On AppData Folder, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted, Many Downloads From Several Binaries, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious Taskkill Command, CMSTP Execution, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SSH X11 Forwarding, Venom Multi-hop Proxy agent detection, SSH Tunnel Traffic, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Linux Binary Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Mimikatz Basic Commands, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Remote File Copy"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Credentials Extraction, Linux Suspicious Search"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Mimikatz Basic Commands, Add User to Privileged Group"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1620", "score": 100, "comment": "Rules: Linux Fileless Execution"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
index 694d47301f..c9e617cd94 100644
--- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Citrix NetScaler (ADC) Actions Blocked"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Citrix NetScaler (ADC) Actions Blocked"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
index d834ec9ab5..9ed2c261c8 100644
--- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, Socat Relaying Socket, WithSecure Elements Warning Severity, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Suspicious File Name, WithSecure Elements Critical Severity, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Malspam Execution Registering Malicious DLL, Python Offensive Tools and Packages"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Download Files From Non-Legitimate TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, WithSecure Elements Critical Severity, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, WithSecure Elements Warning Severity, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Download Files From Non-Legitimate TLDs, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process, Login Brute-Force Successful On SentinelOne EDR Management Console, WithSecure Elements Critical Severity, Usage Of Sysinternals Tools, PsExec Process, WithSecure Elements Warning Severity, Microsoft Defender Antivirus Threat Detected, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Tampering Detected, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Mustang Panda Dropper, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Active Directory Data Export Using Csvde, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, WithSecure Elements Warning Severity, Suspicious Windows Script Execution, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, QakBot Process Creation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious File Name, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Creating Suspicious File, PowerShell Commands Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Threat Detected, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Email Attachment Received"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Download Files From Non-Legitimate TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, WithSecure Elements Warning Severity, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Download Files From Non-Legitimate TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, WithSecure Elements Warning Severity, OneNote Suspicious Children Process, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft IIS Module Installation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Mimikatz Basic Commands, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
index b744276b28..151640565d 100644
--- a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Mimecast Email Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Mimecast Email Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
index b785cb54a7..d20e1a18d0 100644
--- a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Google Workspace External Sharing, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Admin Modification, Google Workspace Domain Delegation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Google Workspace Bypass 2FA"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Admin Creation, Google Workspace Account Warning"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace Admin Deletion, Google Workspace User Suspended, Google Workspace User Deletion"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace MFA changed, Google Workspace Password Change"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Google Workspace Login Brute-Force"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Google Workspace Blocked Sender, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Google Workspace External Sharing, Cryptomining"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Domain Delegation, Google Workspace Admin Modification"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, Google Workspace Bypass 2FA"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Account Warning, Google Workspace Admin Creation"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace Admin Deletion, Google Workspace User Suspended, Google Workspace User Deletion"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace MFA changed, Google Workspace Password Change"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Google Workspace Login Brute-Force"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Google Workspace Blocked Sender, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Cobalt Strike Default Beacons Names, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
index e2f331cc3a..cb8232631a 100644
--- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Defender XDR / Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Microsoft Defender XDR Cloud App Security Alert, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, Microsoft Office Spawning Script, Web Application Launching Shell, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Microsoft Defender XDR Office 365 Alert, Login Brute-Force Successful On SentinelOne EDR Management Console, Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Suspicious File Name, Elise Backdoor, Microsoft Defender XDR Alert, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Microsoft Defender XDR Endpoint Alert, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, WMImplant Hack Tool, Powershell Web Request, Suspicious Outlook Child Process, Python Offensive Tools and Packages"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender XDR Cloud App Security Alert, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Defender XDR Office 365 Alert, Exploit For CVE-2015-1641, Login Brute-Force Successful On SentinelOne EDR Management Console, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, HTA Infection Chains, Winword Document Droppers, ISO LNK Infection Chain, Microsoft Defender XDR Alert, Explorer Process Executing HTA File, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, Microsoft Defender XDR Endpoint Alert, MS Office Product Spawning Exe in User Dir, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Exfiltration Via Pscp, Wininit Wrong Parent, Microsoft Defender XDR Cloud App Security Alert, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Microsoft Defender XDR Office 365 Alert, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Login Brute-Force Successful On SentinelOne EDR Management Console, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Windows Update LolBins, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, Microsoft Defender XDR Alert, SolarWinds Wrong Child Process, Svchost Wrong Parent, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Microsoft Defender XDR Endpoint Alert, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, RDP Configuration File From Mail Process, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, RDP Configuration File From Mail Process"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, NetNTLM Downgrade Attack, Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, SELinux Disabling, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, FLTMC command usage, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, IcedID Execution Using Excel, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, NetNTLM Downgrade Attack, Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, SELinux Disabling, Netsh Port Opening, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, NetNTLM Downgrade Attack, Blue Mockingbird Malware, Disable Workstation Lock, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, LanManServer Registry Modify, Ursnif Registry Key"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Elevated Shell Launched By Browser, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Mshta Command From A Scheduled Task, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Credential Editor Registry Key, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Credential Dump Tools Related Files, Copying Browser Files With Credentials, HackTools Suspicious Names, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Listing Systemd Environment, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Web Application Launching Shell, Lazarus Loaders, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, Powershell Winlogon Helper DLL, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Shell PID Injection, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass via Event Viewer, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, CVE-2021-4034 Polkit's pkexec, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Defender XDR / Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender XDR Endpoint Alert, Microsoft Defender XDR Office 365 Alert, Suspicious Windows Script Execution, Lazarus Loaders, Microsoft Defender XDR Alert, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Elise Backdoor, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution, Trickbot Malware Activity, Suspicious Taskkill Command, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender XDR Cloud App Security Alert, Web Application Launching Shell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, QakBot Process Creation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious File Name, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Commands Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Microsoft Defender XDR Endpoint Alert, Microsoft Defender XDR Office 365 Alert, Microsoft Defender XDR Alert, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, ZIP LNK Infection Chain, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, HTA Infection Chains, IcedID Execution Using Excel, Microsoft Defender XDR Cloud App Security Alert, Malspam Execution Registering Malicious DLL, ISO LNK Infection Chain, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, Microsoft Defender XDR Endpoint Alert, Microsoft Defender XDR Office 365 Alert, SolarWinds Wrong Child Process, Rare Logonui Child Found, Microsoft Defender XDR Alert, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Lsass Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Microsoft Defender XDR Cloud App Security Alert, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Python HTTP Server, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Email Attachment Received, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, RDP Configuration File From Mail Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Suspicious certutil command, Rclone Process, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, FLTMC command usage, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MOFComp Execution, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, IcedID Execution Using Excel, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Disabling SmartScreen Via Registry, Disable Workstation Lock, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, Ursnif Registry Key, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Screenconnect Remote Execution, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, WMI Fingerprint Commands, WMImplant Hack Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, NetNTLM Downgrade Attack, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Credential Dump Tools Related Files, Mimikatz Basic Commands, Cmdkey Cached Credentials Recon, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Discovery Commands Correlation, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line, Web Application Launching Shell, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Screenconnect Remote Execution, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Trickbot Malware Activity"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, Shell PID Injection, COM Hijack Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Mimikatz Basic Commands, Add User to Privileged Group"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
index 56a1329aca..ee7ea5b4b2 100644
--- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
index d12e62e35b..9c47ad822b 100644
--- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Trend Micro Apex One Malware Alert, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Trend Micro Apex One Data Loss Prevention Alert, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, WMIC Uninstall Product, Interactive Terminal Spawned via Python, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Suspicious File Name, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Malspam Execution Registering Malicious DLL, Python Offensive Tools and Packages"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert, SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Suspicious Windows DNS Queries, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Trend Micro Apex One Data Loss Prevention Alert, HTA Infection Chains, Trend Micro Apex One Malware Alert, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, ISO LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers, Suspicious Windows DNS Queries, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Trend Micro Apex One Data Loss Prevention Alert, Trend Micro Apex One Malware Alert, Exfiltration Via Pscp, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Package Manager Alteration, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Listing Systemd Environment, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Cookies Deletion, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Reconnaissance Commands Activities, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Trend Micro Apex One Data Loss Prevention Alert, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, Trend Micro Apex One Malware Alert, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, Suspicious File Name, Microsoft Office Creating Suspicious File, PowerShell Commands Invocation, Sysprep On AppData Folder, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues, Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Trend Micro Apex One Malware Alert, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, HTA Infection Chains, ISO LNK Infection Chain, Trend Micro Apex One Data Loss Prevention Alert"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Suspicious certutil command, Rclone Process, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Trend Micro Apex One Malware Alert, Exfiltration Via Pscp, PsExec Process, OneNote Suspicious Children Process, Trend Micro Apex One Data Loss Prevention Alert"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Component Object Model Hijacking, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Fingerprint Commands, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Mimikatz Basic Commands, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Discovery Commands Correlation, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, Cookies Deletion"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, Shell PID Injection, COM Hijack Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
index e3494df039..a115fb29b4 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
index 7a247f02ba..5d7d0519f7 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, SentinelOne EDR Threat Detected (Malicious), Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR SSO User Added, Login Failed Brute-Force On SentinelOne EDR Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Login Brute-Force Successful On SentinelOne EDR Management Console, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Malicious Threat Not Mitigated, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, SentinelOne EDR Threat Mitigation Report Remediate Success, Linux Bash Reverse Shell, WMIC Uninstall Product, Exploiting SetupComplete.cmd CVE-2019-1378, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, Suspicious File Name, SentinelOne EDR Agent Disabled, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SentinelOne EDR Threat Detected (Suspicious), Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Commands Invocation, SentinelOne EDR Threat Mitigation Report Kill Success, Mustang Panda Dropper, Phorpiex DriveMgr Command, SentinelOne EDR Custom Rule Alert, SentinelOne EDR User Logged In To The Management Console, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Malspam Execution Registering Malicious DLL, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Threat Detected (Malicious), Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR SSO User Added, Login Failed Brute-Force On SentinelOne EDR Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Login Brute-Force Successful On SentinelOne EDR Management Console, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Malicious Threat Not Mitigated, HTA Infection Chains, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Agent Disabled, ISO LNK Infection Chain, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Custom Rule Alert, SentinelOne EDR User Logged In To The Management Console, ZIP LNK Infection Chain, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Malspam Execution Registering Malicious DLL, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Threat Detected (Malicious), Usage Of Sysinternals Tools, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR SSO User Added, Login Failed Brute-Force On SentinelOne EDR Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Success, PsExec Process, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Agent Disabled, SolarWinds Wrong Child Process, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Custom Rule Alert, SentinelOne EDR User Logged In To The Management Console, OneNote Suspicious Children Process, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Usage Of Procdump With Common Arguments, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, FLTMC command usage, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Control Panel Items, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Lazarus Loaders, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Reconnaissance Commands Activities, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Listing Systemd Environment, WMI Fingerprint Commands"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Socat Reverse Shell Detection, FromBase64String Command Line, Lazarus Loaders, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, SentinelOne EDR Threat Mitigation Report Kill Success, Correlation Supicious Powershell Drop and Exec, SentinelOne EDR Threat Detected (Suspicious), Suspicious Cmd.exe Command Line, SentinelOne EDR Threat Mitigation Report Remediate Success, Suspicious Taskkill Command, Login Failed Brute-Force On SentinelOne EDR Management Console, Linux Bash Reverse Shell, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, SentinelOne EDR Custom Rule Alert, PowerShell Invoke Expression With Registry, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Mitigation Report Quarantine Success, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR User Logged In To The Management Console, QakBot Process Creation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious File Name, Exploiting SetupComplete.cmd CVE-2019-1378, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Detected (Malicious), PowerShell Commands Invocation, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious PowerShell Invocations - Specific, SentinelOne EDR Agent Disabled"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Download Files From Suspicious TLDs, SentinelOne EDR Threat Mitigation Report Kill Success, ZIP LNK Infection Chain, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Remediate Success, Login Failed Brute-Force On SentinelOne EDR Management Console, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Cobalt Strike Default Beacons Names, SentinelOne EDR Custom Rule Alert, HTA Infection Chains, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR User Logged In To The Management Console, Malspam Execution Registering Malicious DLL, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Detected (Malicious), ISO LNK Infection Chain, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR Agent Disabled"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SolarWinds Wrong Child Process, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Usage Of Procdump With Common Arguments, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Remediate Success, Login Failed Brute-Force On SentinelOne EDR Management Console, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Custom Rule Alert, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Mitigation Report Quarantine Success, PsExec Process, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Detected (Malicious), OneNote Suspicious Children Process, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR Agent Disabled"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, FLTMC command usage, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, Control Panel Items, CertOC Loading Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Equation Group DLL_U Load"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious PROCEXP152.sys File Created In Tmp, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, WMI Fingerprint Commands, WMImplant Hack Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Mimikatz Basic Commands, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, PowerView commandlets 1, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Correlation Supicious Powershell Drop and Exec, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, COM Hijack Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Listing Systemd Environment, WMI Fingerprint Commands"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json
index 291d879f47..d821f40131 100644
--- a/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_09754cc4-e247-4712-9a76-25529ba11b8b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x 1Password EPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: 1Password EPM Share Externally, Exfiltration Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: 1Password EPM Grant Access Vault"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: 1Password EPM MFA Disable"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: 1Password EPM MFA Disable"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: 1Password EPM Brute Force"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x 1Password EPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: 1Password EPM Share Externally, Exfiltration Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: 1Password EPM Grant Access Vault"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: 1Password EPM MFA Disable"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: 1Password EPM MFA Disable"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: 1Password EPM Brute Force"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
index 1a1e26384b..fbafce5bf5 100644
--- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop, Cloudflare WAF Correlation Alerts"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop, Cloudflare WAF Correlation Alerts"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop, Cloudflare WAF Correlation Alerts"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop, Cloudflare WAF Correlation Alerts"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
index 1f7c639008..cfcc767da6 100644
--- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Spawning Script, Web Application Launching Shell, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Suspicious Outlook Child Process"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, FLTMC command usage, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, IcedID Execution Using Excel, MOFComp Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Spawning Script, ZIP LNK Infection Chain, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, ISO LNK Infection Chain, IcedID Execution Using Excel, Cobalt Strike Default Beacons Names, Suspicious Outlook Child Process"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Listing Systemd Environment, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Web Application Launching Shell, Lazarus Loaders, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Reconnaissance Commands Activities, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, OneNote Suspicious Children Process, Usage Of Sysinternals Tools, Suspicious DNS Child Process, PsExec Process, SolarWinds Wrong Child Process, Windows Update LolBins, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, Suspicious DNS Child Process, PsExec Process, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution, Microsoft Office Spawning Script, Suspicious Taskkill Command, Suspicious Outlook Child Process, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Web Application Launching Shell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Sysprep On AppData Folder, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Dynamic DNS Contacted, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, FLTMC command usage, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MOFComp Execution, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, IcedID Execution Using Excel, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, ZIP LNK Infection Chain, IcedID Execution Using Excel, HTA Infection Chains, ISO LNK Infection Chain, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Component Object Model Hijacking, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, WMI Fingerprint Commands, WMImplant Hack Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Discovery Commands Correlation, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, Suspicious Cmd.exe Command Line, Web Application Launching Shell, Screenconnect Remote Execution, Lazarus Loaders, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Mimikatz Basic Commands, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, Shell PID Injection, COM Hijack Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Windows Update LolBins, Exfiltration Via Pscp, PsExec Process, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Suspicious DNS Child Process"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Suspicious DNS Child Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
index 04755a0b70..c929721d1b 100644
--- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Spawning Script, Web Application Launching Shell, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Suspicious Outlook Child Process"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Spawning Script, ZIP LNK Infection Chain, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, Microsoft Office Product Spawning Windows Shell, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, ISO LNK Infection Chain, IcedID Execution Using Excel, Cobalt Strike Default Beacons Names, Suspicious Outlook Child Process"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, NetNTLM Downgrade Attack, Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, SELinux Disabling, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, FLTMC command usage, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, IcedID Execution Using Excel, MOFComp Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, NetNTLM Downgrade Attack, Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, SELinux Disabling, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, NetNTLM Downgrade Attack, Blue Mockingbird Malware, Disable Workstation Lock, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, LanManServer Registry Modify, Ursnif Registry Key"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Listing Systemd Environment, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, NetNTLM Downgrade Attack, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Web Application Launching Shell, Lazarus Loaders, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Gpscript Suspicious Parent, New Service Creation, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Winlogon wrong parent, Smss Wrong Parent, Searchindexer Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Gpscript Suspicious Parent, New Service Creation, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Winlogon wrong parent, Smss Wrong Parent, Searchindexer Wrong Parent, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Exfiltration Via Pscp, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Searchprotocolhost Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Windows Update LolBins, Lsass Wrong Parent, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass via Event Viewer, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, CVE-2021-4034 Polkit's pkexec"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft IIS Module Installation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Elise Backdoor, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution, Microsoft Office Spawning Script, Suspicious Taskkill Command, Suspicious Outlook Child Process, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Web Application Launching Shell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Sysprep On AppData Folder, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Suspicious Windows DNS Queries, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, ZIP LNK Infection Chain, IcedID Execution Using Excel, HTA Infection Chains, ISO LNK Infection Chain, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries, Koadic MSHTML Command"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, FLTMC command usage, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MOFComp Execution, Suspicious Control Process, Suspicious Taskkill Command, CMSTP Execution, IcedID Execution Using Excel, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Disabling SmartScreen Via Registry, Disable Workstation Lock, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, Ursnif Registry Key, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Screenconnect Remote Execution, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, WMI Fingerprint Commands, WMImplant Hack Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Discovery Commands Correlation, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Mimikatz Basic Commands, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, Suspicious Cmd.exe Command Line, Web Application Launching Shell, Screenconnect Remote Execution, Lazarus Loaders, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Microsoft Office Macro Security Registry Modifications, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Searchindexer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, SolarWinds Wrong Child Process, Taskhost Wrong Parent, New Service Creation, Searchindexer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Csrss Wrong Parent, OneNote Suspicious Children Process, Lsass Wrong Parent, SolarWinds Wrong Child Process, Taskhost Wrong Parent, New Service Creation, Searchindexer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Csrss Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Lsass Wrong Parent, Windows Update LolBins, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Csrss Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, Shell PID Injection, COM Hijack Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Mimikatz Basic Commands, Add User to Privileged Group"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
index 5b139fb9fe..79a3c61b89 100644
--- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions, WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions, WAF Block Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
index 71a0073a2d..fcbd8fbc61 100644
--- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Anonymous IP, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Anonymous IP, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Authentication Impossible Travel, Entra ID Password Compromised By Known Credential Testing Tool, Password Change Brute-Force On AzureAD"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel, Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Anonymous IP"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Anonymous IP"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Known Credential Testing Tool, Authentication Impossible Travel, Password Change Brute-Force On AzureAD, RSA SecurID Failed Authentification"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel, Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
index ac6b9417b7..3d9a42998b 100644
--- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Suspicious File Name, Socat Relaying Socket"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, WCE wceaux.dll Creation, HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Suspicious File Name, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Socat Relaying Socket"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Process Trace Alteration, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
index 5dfdc4d760..92e1ad56a0 100644
--- a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity, ExtraHop Reveal(x) 360 Intrusion Detection High Severity"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity, ExtraHop Reveal(x) 360 Intrusion Detection High Severity"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
index 39da427721..e24be26e15 100644
--- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Linux Bash Reverse Shell, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Control Panel Items, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Pandemic Windows Implant, Rclone Process, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Socat Reverse Shell Detection, FromBase64String Command Line, Lazarus Loaders, Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Linux Bash Reverse Shell, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Control Panel Items, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Suspicious Taskkill Command, Equation Group DLL_U Load"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Mimikatz Basic Commands, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Rclone Process, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
index 76b8b5a545..574bd26dfa 100644
--- a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
index db4f78cbd3..f6d94a8cf4 100644
--- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, CrowdStrike Falcon Intrusion Detection Low Severity, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, CrowdStrike Falcon Intrusion Detection, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Spawning Script, Web Application Launching Shell, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, CrowdStrike Falcon Intrusion Detection Critical Severity, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Interactive Terminal Spawned via Python, CrowdStrike Falcon Intrusion Detection Medium Severity, Powershell Web Request, Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Screenconnect Remote Execution, CrowdStrike Falcon Identity Protection Detection Medium Severity, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Linux Bash Reverse Shell, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Suspicious File Name, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, CrowdStrike Falcon Identity Protection Detection High Severity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, CrowdStrike Falcon Identity Protection Detection Low Severity, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, CrowdStrike Falcon Identity Protection Detection Critical Severity, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection High Severity, Suspicious Outlook Child Process, CrowdStrike Falcon Identity Protection Detection Informational Severity"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: CrowdStrike Falcon Mobile Detection Medium Severity, CrowdStrike Falcon Mobile Detection Informational Severity, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, CrowdStrike Falcon Mobile Detection Critical Severity, Dynamic DNS Contacted, CrowdStrike Falcon Mobile Detection Low Severity, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Cryptomining, CrowdStrike Falcon Mobile Detection High Severity"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Low Severity, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Critical Severity, Cobalt Strike Default Beacons Names, CrowdStrike Falcon Intrusion Detection Medium Severity, Exploit For CVE-2015-1641, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, CrowdStrike Falcon Identity Protection Detection Medium Severity, HTA Infection Chains, Winword Document Droppers, ISO LNK Infection Chain, CrowdStrike Falcon Identity Protection Detection High Severity, Explorer Process Executing HTA File, ZIP LNK Infection Chain, CrowdStrike Falcon Identity Protection Detection Low Severity, Microsoft Office Product Spawning Windows Shell, CrowdStrike Falcon Identity Protection Detection Critical Severity, MS Office Product Spawning Exe in User Dir, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection High Severity, Suspicious Outlook Child Process, CrowdStrike Falcon Identity Protection Detection Informational Severity"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Exfiltration Via Pscp, CrowdStrike Falcon Intrusion Detection Low Severity, Wininit Wrong Parent, CrowdStrike Falcon Intrusion Detection, Usage Of Sysinternals Tools, Suspicious DNS Child Process, CrowdStrike Falcon Intrusion Detection Critical Severity, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Windows Update LolBins, Lsass Wrong Parent, Mshta Command From A Scheduled Task, CrowdStrike Falcon Identity Protection Detection Medium Severity, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, CrowdStrike Falcon Identity Protection Detection High Severity, Svchost Wrong Parent, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, Rare Logonui Child Found, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection High Severity, Usage Of Procdump With Common Arguments, CrowdStrike Falcon Identity Protection Detection Informational Severity"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, FLTMC command usage, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, IcedID Execution Using Excel, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Elevated Shell Launched By Browser, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Mshta Command From A Scheduled Task, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Listing Systemd Environment, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Web Application Launching Shell, Lazarus Loaders, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Shell PID Injection, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Reconnaissance Commands Activities, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, CrowdStrike Falcon Intrusion Detection Medium Severity, Socat Reverse Shell Detection, FromBase64String Command Line, CrowdStrike Falcon Identity Protection Detection High Severity, XSL Script Processing And SquiblyTwo Attack, CrowdStrike Falcon Intrusion Detection High Severity, Suspicious Windows Script Execution, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Intrusion Detection Critical Severity, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Mshta Suspicious Child Process, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Elise Backdoor, Suspicious Cmd.exe Command Line, CrowdStrike Falcon Identity Protection Detection Critical Severity, Screenconnect Remote Execution, Trickbot Malware Activity, Suspicious Taskkill Command, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, CrowdStrike Falcon Identity Protection Detection Informational Severity, Mustang Panda Dropper, Interactive Terminal Spawned via Python, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Intrusion Detection Low Severity, PowerShell Invoke Expression With Registry, Web Application Launching Shell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Informational Severity, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, QakBot Process Creation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious File Name, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Commands Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, Default Encoding To UTF-8 PowerShell, Powershell Web Request, CrowdStrike Falcon Identity Protection Detection Medium Severity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Invocations - Specific, Sysprep On AppData Folder"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, CrowdStrike Falcon Mobile Detection Informational Severity, Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, CrowdStrike Falcon Mobile Detection High Severity, DNS Tunnel Technique From MuddyWater, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, CrowdStrike Falcon Mobile Detection Low Severity, Cryptomining, CrowdStrike Falcon Mobile Detection Critical Severity, CrowdStrike Falcon Mobile Detection Medium Severity, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Medium Severity, Exploit For CVE-2015-1641, CrowdStrike Falcon Identity Protection Detection High Severity, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, Explorer Process Executing HTA File, ZIP LNK Infection Chain, CrowdStrike Falcon Identity Protection Detection Critical Severity, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, CrowdStrike Falcon Identity Protection Detection Informational Severity, Cobalt Strike Default Beacons Names, HTA Infection Chains, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Intrusion Detection Low Severity, IcedID Execution Using Excel, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Informational Severity, Malspam Execution Registering Malicious DLL, ISO LNK Infection Chain, CrowdStrike Falcon Identity Protection Detection Medium Severity, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection High Severity, CrowdStrike Falcon Intrusion Detection High Severity, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, CrowdStrike Falcon Intrusion Detection Critical Severity, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, CrowdStrike Falcon Identity Protection Detection Critical Severity, Lsass Wrong Parent, Rare Lsass Child Found, CrowdStrike Falcon Identity Protection Detection Informational Severity, Windows Update LolBins, Wsmprovhost Wrong Parent, Smss Wrong Parent, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Intrusion Detection Low Severity, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Informational Severity, Winrshost Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, CrowdStrike Falcon Identity Protection Detection Medium Severity, Taskhost Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, FLTMC command usage, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MOFComp Execution, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, IcedID Execution Using Excel, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Screenconnect Remote Execution, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, WMI Fingerprint Commands, WMImplant Hack Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Mimikatz Basic Commands, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Discovery Commands Correlation, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line, Web Application Launching Shell, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Screenconnect Remote Execution, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Trickbot Malware Activity"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, Shell PID Injection, COM Hijack Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Mimikatz Basic Commands, Add User to Privileged Group"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
index 3c09428921..667eed6476 100644
--- a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Daspren Parad [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1055", "score": 100, "comment": "Rules: Daspren Parad Malicious Behavior"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, WCE wceaux.dll Creation, HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, AutoIt3 Execution From Suspicious Folder, Socat Relaying Socket"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, RTLO Character, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Daspren Parad [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1055", "score": 100, "comment": "Rules: Daspren Parad Malicious Behavior"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Process Trace Alteration, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Socat Relaying Socket, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
index 987f1f4d85..80fd618b2d 100644
--- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
index 84941e1054..8c0efe4f46 100644
--- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Web Application Launching Shell, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Turla Named Pipes, WMI DLL Loaded Via Office, Suspicious Cmd.exe Command Line, Suspicious Scripting In A WMI Consumer, Microsoft Defender Antivirus Threat Detected, Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Malicious PowerShell Keywords, Socat Relaying Socket, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, WMIC Uninstall Product, Suspicious DLL Loaded Via Office Applications, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Correlation Supicious Powershell Drop and Exec, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Suspicious File Name, Detection of default Mimikatz banner, PowerShell Credential Prompt, Elise Backdoor, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Suspicious XOR Encoded PowerShell Command Line, In-memory PowerShell, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Aspnet Compiler, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Powershell Web Request, Suspicious Outlook Child Process"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Many Downloads From Several Binaries, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Sliver DNS Beaconing, Suspicious Windows DNS Queries, Cryptomining"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, Cisco Umbrella Threat Detected, Suspicious Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, GitLab CVE-2021-22205"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious Hostname"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, TUN/TAP Driver Installation, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Medium Threat, HarfangLab EDR High Level Rule Detection, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, HarfangLab EDR Critical Threat, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Threat, IcedID Execution Using Excel, Suspicious DLL Loaded Via Office Applications, Winword Document Droppers, Explorer Process Executing HTA File, HarfangLab EDR Low Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR Process Execution Blocked (HL-AI engine)"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Medium Threat, HarfangLab EDR High Level Rule Detection, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Critical Threat, Exploit For CVE-2015-1641, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Threat, IcedID Execution Using Excel, HTA Infection Chains, Suspicious DLL Loaded Via Office Applications, Winword Document Droppers, ISO LNK Infection Chain, Explorer Process Executing HTA File, ZIP LNK Infection Chain, HarfangLab EDR Low Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Hlai Engine Detection, Suspicious Outlook Child Process, HarfangLab EDR Process Execution Blocked (HL-AI engine)"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Elevated Shell Launched By Browser, Svchost DLL Search Order Hijack, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Turla Named Pipes, Malicious PowerShell Keywords, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Invocations - Generic, Detection of default Mimikatz banner, PowerShell Credential Prompt, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Suspicious XOR Encoded PowerShell Command Line, In-memory PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Process Hollowing Detection, Svchost Wrong Parent, Taskhostw Wrong Parent, Cobalt Strike Named Pipes, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Malicious Named Pipe, Process Herpaderping, Smss Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Dynwrapx Module Loading, Wsmprovhost Wrong Parent, Mshta Command From A Scheduled Task, MavInject Process Injection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Active Directory Replication User Backdoor, User Added to Local Administrators, Active Directory User Backdoors, Active Directory Delegate To KRBTGT Service, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Creation or Modification of a GPO Scheduled Task, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe, Creation or Modification of a GPO Scheduled Task, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Credential Editor Registry Key, RedMimicry Winnti Playbook Dropped File, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Impacket Secretsdump.py Tool, Dumpert LSASS Process Dumper, Credential Dumping By LaZagne, Active Directory Database Dump Via Ntdsutil, Process Memory Dump Using Comsvcs, Malicious Service Installations, Password Dumper Activity On LSASS, Cmdkey Cached Credentials Recon, LSASS Memory Dump File Creation, HackTools Suspicious Process Names In Command Line, DCSync Attack, Lsass Access Through WinRM, Unsigned Image Loaded Into LSASS Process, WCE wceaux.dll Creation, DPAPI Domain Backup Key Extraction, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, LSASS Access From Non System Account, Rubeus Tool Command-line, Active Directory Replication from Non Machine Account, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Credential Dumping Tools Service Execution, NTDS.dit File In Suspicious Directory, Transfering Files With Credential Data Via Network Shares, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Mimikatz LSASS Memory Access, Load Of dbghelp/dbgcore DLL From Suspicious Process, Suspicious SAM Dump, HackTools Suspicious Names, LSASS Memory Dump, SAM Registry Hive Handle Request, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, APT29 Fake Google Update Service Install, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Chafer (APT 39) Activity, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, APT29 Fake Google Update Service Install, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Chafer (APT 39) Activity, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious PsExec Execution, Taskhostw Wrong Parent, Wininit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Smbexec.py Service Installation, Csrss Child Found, Correlation Impacket Smbexec, Metasploit PSExec Service Creation, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Windows Suspicious Service Creation, Dllhost Wrong Parent, Taskhost Wrong Parent, Credential Dumping Tools Service Execution, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious PsExec Execution, Taskhostw Wrong Parent, Exfiltration Via Pscp, Wininit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Microsoft Defender Antivirus Threat Detected, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Windows Update LolBins, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Smbexec.py Service Installation, Csrss Child Found, Correlation Impacket Smbexec, Metasploit PSExec Service Creation, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Windows Suspicious Service Creation, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Taskhost Wrong Parent, Credential Dumping Tools Service Execution, OneNote Suspicious Children Process, Winlogon wrong parent, Check Point Harmony Mobile Application Forbidden, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Python Opening Ports, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Malware Protection Engine Crash, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Defender Deactivation Using PowerShell Script, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, FLTMC command usage, Netsh RDP Port Opening, Suspect Svchost Memory Access, Microsoft Defender Antivirus Configuration Changed, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Disable Security Events Logging Adding Reg Key MiniNt, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Tampering Detected, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Python Opening Ports, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Dynwrapx Module Loading, Equation Group DLL_U Load, IcedID Execution Using Excel, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Malware Protection Engine Crash, Windows Defender Deactivation Using PowerShell Script, Netsh Port Opening, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Audit CVE Event, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, SSH X11 Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH Tunnel Traffic, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, System Network Connections Discovery, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Disable Workstation Lock, Suspicious New Printer Ports In Registry, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Suspicious Desktopimgdownldr Execution, LanManServer Registry Modify, Ursnif Registry Key, Disabling SmartScreen Via Registry, Remote Registry Management Using Reg Utility, Blue Mockingbird Malware, Disable Security Events Logging Adding Reg Key MiniNt, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, RDP Port Change Using Powershell, Wdigest Enable UseLogonCredential, Chafer (APT 39) Activity, DHCP Callout DLL Installation, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper, LSASS Memory Dump File Creation, Credential Dumping By LaZagne, Windows Credential Editor Registry Key, Credential Dumping Tools Service Execution, Process Memory Dump Using Createdump, Credential Dumping-Tools Common Named Pipes, Lsass Access Through WinRM, Credential Dump Tools Related Files, Unsigned Image Loaded Into LSASS Process, Mimikatz LSASS Memory Access, LSASS Access From Non System Account, Load Of dbghelp/dbgcore DLL From Suspicious Process, Password Dumper Activity On LSASS, LSASS Memory Dump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Credentials Extraction, PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, User Added to Local Administrators, Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Denied Access To Remote Desktop, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, Svchost DLL Search Order Hijack, Werfault DLL Injection, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, RedMimicry Winnti Playbook Dropped File, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, SAM Registry Hive Handle Request, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Antivirus Web Shell Detection"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, Microsoft IIS Module Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI DLL Loaded Via Office, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Register New Logon Process, Suspicious TGS requests (Kerberoasting), Possible Replay Attack, Suspicious Outbound Kerberos Connection, Kerberos Pre-Auth Disabled in UAC, Suspicious Kerberos Ticket"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Suspicious Certificate Request-adcs Abuse"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Lateral Movement Remote Named Pipe, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, RDP Login From Localhost, Admin Share Access, MMC20 Lateral Movement, Correlation Impacket Smbexec, Lsass Access Through WinRM, MMC Spawning Windows Shell, Denied Access To Remote Desktop, RDP Port Change Using Powershell, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Remote Enumeration Of Lateral Movement Groups, Active Directory Data Export Using Csvde, AD User Enumeration, PowerView commandlets 2, Reconnaissance Commands Activities, AD Privileged Users Or Groups Reconnaissance, Discovery Commands Correlation, Remote Privileged Group Enumeration, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files, DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Web Application Launching Shell, Lazarus Loaders, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Netscan Share Access Artefact, Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Suspicious DLL Loaded Via Office Applications, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, RUN Registry Key Created From Suspicious Folder, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Malware Persistence Registry Key, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, Powershell Winlogon Helper DLL, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Malware Persistence Registry Key, Kernel Module Alteration, NjRat Registry Changes, Narrator Feedback-Hub Persistence, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: GPO Executable Delivery, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, SCM Database Handle Failure, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Suspicious Taskkill Command, Putty Sessions Listing, SysKey Registry Keys Access"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Lateral Movement Remote Named Pipe, Protected Storage Service Access, Admin Share Access, Correlation Impacket Smbexec, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Execution From Suspicious Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character, Unsigned Driver Loaded From Suspicious Location"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Discovery Commands Correlation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, Cookies Deletion, ETW Tampering, Eventlog Cleared, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, RDP Port Change Using Powershell, Denied Access To Remote Desktop"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, Privileged AD Builtin Group Modified, User Account Deleted"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, File and Directory Permissions Modification, AD Object WriteDAC Access, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass via Event Viewer, Setuid Or Setgid Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Remote File Copy, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Credentials Extraction, Adexplorer Usage, Remote Registry Management Using Reg Utility, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account, DCSync Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Suspicious Scripting In A WMI Consumer, Aspnet Compiler, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Suspicious DLL Loaded Via Office Applications, Elise Backdoor, Detection of default Mimikatz banner, Suspicious Cmd.exe Command Line, Turla Named Pipes, Screenconnect Remote Execution, Trickbot Malware Activity, Suspicious Taskkill Command, Microsoft Office Spawning Script, Suspicious Outlook Child Process, PowerShell Credential Prompt, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, In-memory PowerShell, PowerShell NTFS Alternate Data Stream, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Alternate PowerShell Hosts Pipe, Web Application Launching Shell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, WMI DLL Loaded Via Office, Microsoft Defender Antivirus Disabled Base64 Encoded, QakBot Process Creation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious File Name, PowerShell Malicious PowerShell Commandlets, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Creating Suspicious File, PowerShell Commands Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Threat Detected, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Suspicious LDAP-Attributes Used, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Chafer (APT 39) Activity, Dynamic DNS Contacted, Many Downloads From Several Binaries, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Cisco Umbrella Threat Detected, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, GitLab CVE-2021-22205"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious Hostname"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, TUN/TAP Driver Installation, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Medium Level Rule Detection, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat, HarfangLab EDR Medium Threat, Suspicious DLL Loaded Via Office Applications, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Critical Level Rule Detection, IcedID Execution Using Excel, HarfangLab EDR High Threat, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Medium Level Rule Detection, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat, HarfangLab EDR Medium Threat, ZIP LNK Infection Chain, Suspicious DLL Loaded Via Office Applications, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Critical Level Rule Detection, HTA Infection Chains, IcedID Execution Using Excel, HarfangLab EDR High Threat, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, ISO LNK Infection Chain, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Windows Registry Persistence COM Search Order Hijacking, Hijack Legit RDP Session To Move Laterally, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Detection of default Mimikatz banner, Turla Named Pipes, Screenconnect Remote Execution, Suspicious Taskkill Command, PowerShell Credential Prompt, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, In-memory PowerShell, PowerShell NTFS Alternate Data Stream, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Alternate PowerShell Hosts Pipe, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Malicious Named Pipe, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Cobalt Strike Named Pipes, Taskhost Wrong Parent, Process Herpaderping, MavInject Process Injection, Process Hollowing Detection, Dynwrapx Module Loading, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Replication User Backdoor, Mimikatz Basic Commands, Active Directory Delegate To KRBTGT Service, User Added to Local Administrators, Active Directory User Backdoors, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, Credential Dumping-Tools Common Named Pipes, Copying Sensitive Files With Credential Data, LSASS Memory Dump, Grabbing Sensitive Hives Via Reg Utility, Lsass Access Through WinRM, RedMimicry Winnti Playbook Dropped File, Password Dumper Activity On LSASS, NetNTLM Downgrade Attack, Unsigned Image Loaded Into LSASS Process, Copying Browser Files With Credentials, SAM Registry Hive Handle Request, Active Directory Database Dump Via Ntdsutil, Process Memory Dump Using Rdrleakdiag, DPAPI Domain Backup Key Extraction, NTDS.dit File In Suspicious Directory, DCSync Attack, Dumpert LSASS Process Dumper, Credential Dumping Tools Service Execution, Windows Credential Editor Registry Key, Suspicious SAM Dump, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Transfering Files With Credential Data Via Network Shares, Malicious Service Installations, LSASS Memory Dump File Creation, Suspicious CommandLine Lsassy Pattern, Credential Dumping By LaZagne, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation, Mimikatz LSASS Memory Access, Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Mimikatz Basic Commands, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Load Of dbghelp/dbgcore DLL From Suspicious Process, Wdigest Enable UseLogonCredential, LSASS Access From Non System Account"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Cobalt Strike Default Service Creation Usage, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, WMI Persistence Command Line Event Consumer, StoneDrill Service Install, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, APT29 Fake Google Update Service Install, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Chafer (APT 39) Activity, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Cobalt Strike Default Service Creation Usage, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, WMI Persistence Command Line Event Consumer, StoneDrill Service Install, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, APT29 Fake Google Update Service Install, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Chafer (APT 39) Activity, Taskhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Windows Suspicious Service Creation, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Metasploit PSExec Service Creation, Usage Of Procdump With Common Arguments, Credential Dumping Tools Service Execution, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Suspicious DNS Child Process, Suspicious PsExec Execution, Smbexec.py Service Installation, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Correlation Impacket Smbexec, Taskhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Windows Suspicious Service Creation, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Metasploit PSExec Service Creation, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Credential Dumping Tools Service Execution, Lsass Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Suspicious DNS Child Process, Suspicious PsExec Execution, Smbexec.py Service Installation, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Check Point Harmony Mobile Application Forbidden, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Microsoft Defender Antivirus Threat Detected, Correlation Impacket Smbexec, Taskhost Wrong Parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Python Opening Ports, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Python Opening Ports, Suspicious Driver Loaded, TrustedInstaller Impersonation, Microsoft Defender Antivirus Configuration Changed, FLTMC command usage, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MOFComp Execution, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, IcedID Execution Using Excel, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Dynwrapx Module Loading, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, Suspicious PROCEXP152.sys File Created In Tmp, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, Windows Defender Deactivation Using PowerShell Script, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, TrustedInstaller Impersonation, Microsoft Defender Antivirus Configuration Changed, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Audit CVE Event"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy, Audit CVE Event"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SSH X11 Forwarding, Venom Multi-hop Proxy agent detection, SSH Tunnel Traffic, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets, System Network Connections Discovery, Adidnsdump Enumeration, Remote System Discovery Via Telnet"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, NetNTLM Downgrade Attack, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, Ursnif Registry Key, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, OceanLotus Registry Activity, DNS ServerLevelPluginDll Installation, Suspicious Desktopimgdownldr Execution, Disable Security Events Logging Adding Reg Key MiniNt, Remote Registry Management Using Reg Utility, Disabling SmartScreen Via Registry, Disable Workstation Lock, Chafer (APT 39) Activity, RDP Port Change Using Powershell, Wdigest Enable UseLogonCredential, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Password Dumper Activity On LSASS, Unsigned Image Loaded Into LSASS Process, Mimikatz LSASS Memory Access, Credential Dump Tools Related Files, Credential Dumping-Tools Common Named Pipes, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, LSASS Memory Dump, Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper, Lsass Access Through WinRM, Windows Credential Editor Registry Key, LSASS Memory Dump File Creation, Load Of dbghelp/dbgcore DLL From Suspicious Process, Suspicious CommandLine Lsassy Pattern, Credential Dumping By LaZagne, LSASS Access From Non System Account"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Suspicious Scripting In A WMI Consumer, WMI Event Subscription, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added to Local Administrators, Account Tampering - Suspicious Failed Logon Reasons, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Suspicious SAM Dump, Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Credential Dumping-Tools Common Named Pipes, Copying Browser Files With Credentials, SAM Registry Hive Handle Request, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, RedMimicry Winnti Playbook Dropped File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, WMI Fingerprint Commands, WMImplant Hack Tool, WMI DLL Loaded Via Office"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior, Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line, Kerberos Pre-Auth Disabled in UAC, Rubeus Register New Logon Process, Possible Replay Attack, Suspicious Kerberos Ticket, Suspicious Outbound Kerberos Connection, Suspicious TGS requests (Kerberoasting)"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Suspicious Certificate Request-adcs Abuse"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, Lateral Movement Remote Named Pipe, Cobalt Strike Default Service Creation Usage, RDP Port Change Using Powershell, RDP Login From Localhost, MMC20 Lateral Movement, Remote Service Activity Via SVCCTL Named Pipe, Denied Access To Remote Desktop, Lsass Access Through WinRM, Correlation Impacket Smbexec, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, Reconnaissance Commands Activities, PowerView commandlets 2, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 1, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Finger Usage, Pandemic Windows Implant, Suspicious certutil command, Rclone Process, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line, Web Application Launching Shell, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Screenconnect Remote Execution, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Netscan Share Access Artefact, Network Share Discovery"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious DLL Loaded Via Office Applications, Suspicious Windows Script Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, WMI DLL Loaded Via Office, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Narrator Feedback-Hub Persistence, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Registry Key Used By Some Old Agent Tesla Samples, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Narrator Feedback-Hub Persistence, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Registry Key Used By Some Old Agent Tesla Samples, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Phosphorus Domain Controller Discovery, Trickbot Malware Activity"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, SCM Database Handle Failure, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Remote Registry Management Using Reg Utility, Putty Sessions Listing, SysKey Registry Keys Access"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Lateral Movement Remote Named Pipe, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Correlation Impacket Smbexec, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Unsigned Driver Loaded From Suspicious Location, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Execution From Suspicious Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, Discovery Commands Correlation, AD User Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, High Privileges Network Share Removal, Eventlog Cleared, Cookies Deletion, Secure Deletion With SDelete, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Secure Deletion With SDelete"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Denied Access To Remote Desktop, RDP Login From Localhost"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test, Microsoft Office Startup Add-In"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, AD Object WriteDAC Access, File and Directory Permissions Modification, File Or Folder Permissions Modifications"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, COM Hijack Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Remote File Copy"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Credentials Extraction, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
index c77329561b..5a552dedef 100644
--- a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, WCE wceaux.dll Creation, HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Process Trace Alteration, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
index feab4d734e..04102db586 100644
--- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, ISO LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
index 3c3e21a530..1b78b60c82 100644
--- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Web Application Launching Shell, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Suspicious File Name, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Suspicious Outlook Child Process"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Login Brute-Force Successful On SentinelOne EDR Management Console, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Suspicious Outlook Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Exfiltration Via Pscp, Wininit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Microsoft Defender Antivirus Threat Detected, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Login Brute-Force Successful On SentinelOne EDR Management Console, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Windows Update LolBins, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, FLTMC command usage, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Tampering Detected, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, IcedID Execution Using Excel, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, NetNTLM Downgrade Attack, Blue Mockingbird Malware, Disable Workstation Lock, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, LanManServer Registry Modify, Ursnif Registry Key"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Mshta Command From A Scheduled Task, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Credential Editor Registry Key, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Copying Browser Files With Credentials, HackTools Suspicious Names, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Web Application Launching Shell, Lazarus Loaders, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, Powershell Winlogon Helper DLL, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Active Directory Data Export Using Csvde, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution, Trickbot Malware Activity, Suspicious Taskkill Command, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Web Application Launching Shell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, QakBot Process Creation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious File Name, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Creating Suspicious File, PowerShell Commands Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Threat Detected, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Login Brute-Force Successful On SentinelOne EDR Management Console, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Microsoft Defender Antivirus Threat Detected, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Lsass Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Microsoft Defender Antivirus Threat Detected, Taskhost Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, FLTMC command usage, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MOFComp Execution, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, IcedID Execution Using Excel, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Disabling SmartScreen Via Registry, Disable Workstation Lock, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, Ursnif Registry Key, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, WMImplant Hack Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, NetNTLM Downgrade Attack, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Windows Credential Editor Registry Key, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Credential Dump Tools Related Files, Mimikatz Basic Commands, Cmdkey Cached Credentials Recon, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line, Web Application Launching Shell, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Screenconnect Remote Execution, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Trickbot Malware Activity"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
index 27447ddaf2..5e55798175 100644
--- a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, TrevorC2 HTTP Communication"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Broadcom Edge Secure Web Gateway High Threat"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Sliver DNS Beaconing, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Broadcom Edge Secure Web Gateway High Threat"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
index 70bd3b5d52..bb6285b575 100644
--- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Linux Bash Reverse Shell, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, Suspicious File Name, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Control Panel Items, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Credential Dump Tools Related Files, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Credentials Extraction, XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Listing Systemd Environment, WMI Fingerprint Commands"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Pandemic Windows Implant, Rclone Process, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Socat Reverse Shell Detection, FromBase64String Command Line, Lazarus Loaders, Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Linux Bash Reverse Shell, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, Suspicious File Name, PowerShell Commands Invocation, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Python HTTP Server, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Control Panel Items, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Suspicious Taskkill Command, Equation Group DLL_U Load"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious PROCEXP152.sys File Created In Tmp, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, WMI Fingerprint Commands, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Mimikatz Basic Commands, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, PowerView commandlets 1, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Credentials Extraction, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Listing Systemd Environment, WMI Fingerprint Commands"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Rclone Process, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
index 7013944bc9..0c2ac6bef1 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Suspicious File Name, Socat Relaying Socket"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, WCE wceaux.dll Creation, HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Suspicious File Name, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Socat Relaying Socket"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Process Trace Alteration, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2f28e4f9-a4f3-40a6-9909-b69f3df32535_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2f28e4f9-a4f3-40a6-9909-b69f3df32535_do_not_edit_manually.json
index 7c391a7156..a683479784 100644
--- a/_shared_content/operations_center/detection/generated/attack_2f28e4f9-a4f3-40a6-9909-b69f3df32535_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2f28e4f9-a4f3-40a6-9909-b69f3df32535_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Gatewatcher AionIQ V103", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Shellcode Detect, Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Malcore, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Malcore, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Beacon Detect, Gatewatcher AionIQ V103 Sigflow Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Network Behavior Analytics"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1598", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Retrohunt, Gatewatcher AionIQ V103 Active CTI"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Ransomware Detect"}, {"techniqueID": "T1568.002", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Dga Detect"}, {"techniqueID": "T1568", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Dga Detect"}, {"techniqueID": "T1029", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Malicious Powershell Detect"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Gatewatcher AionIQ V103", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Gatewatcher AionIQ V103 Shellcode Detect"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Malcore, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Malcore, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Sigflow Alert, SEKOIA.IO Intelligence Feed, Gatewatcher AionIQ V103 Beacon Detect"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Email Attachment Received"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Network Behavior Analytics"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1598", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Retrohunt, Gatewatcher AionIQ V103 Active CTI"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Ransomware Detect"}, {"techniqueID": "T1568.002", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Dga Detect"}, {"techniqueID": "T1568", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Dga Detect"}, {"techniqueID": "T1029", "score": 100, "comment": "Rules: Gatewatcher AionIQ V103 Malicious Powershell Detect"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
index 9b4b108240..f4e6c436ec 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ESET Protect [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, Web Application Launching Shell, Socat Relaying Socket, QakBot Process Creation, Suspicious Outlook Child Process"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: ESET Protect Malware, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Winword Document Droppers, Microsoft Office Spawning Script, ZIP LNK Infection Chain, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, ISO LNK Infection Chain, ESET Protect Intrusion Detection, Cobalt Strike Default Beacons Names, Suspicious Outlook Child Process"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: ESET Protect Set Policy"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: ESET Protect Remote Action"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Logonui Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Searchindexer Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Logonui Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Searchindexer Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Suspicious DNS Child Process, Logonui Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, PsExec Process, Searchindexer Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Suspicious DNS Child Process, Logonui Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, PsExec Process, Searchindexer Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Web Application Launching Shell"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, RTLO Character"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ESET Protect [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Web Application Launching Shell, Microsoft Office Spawning Script, Sekoia.io EICAR Detection, Socat Relaying Socket, Suspicious Outlook Child Process, QakBot Process Creation, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, ESET Protect Malware, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain, ESET Protect Intrusion Detection, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: ESET Protect Set Policy"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: ESET Protect Remote Action"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Web Application Launching Shell"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
index 955991db15..c78d2d4869 100644
--- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
index d8771e51ef..549fa6f111 100644
--- a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), LokiBot Default C2 URL, Sliver DNS Beaconing, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike DNS Beaconing, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default GET beaconing, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Potential Lemon Duck User-Agent, Dynamic DNS Contacted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Cobalt Strike DNS Beaconing, Cobalt Strike HTTP Default GET beaconing, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Cryptomining, Potential LokiBot User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
index 68c54a96b3..b6d73f0da5 100644
--- a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
index 60ba1a992c..8485945596 100644
--- a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
index c5a6a7f060..932a85ca9d 100644
--- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Web Application Launching Shell, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Threat Detected, Interactive Terminal Spawned via Python, Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Malicious PowerShell Keywords, Socat Relaying Socket, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, Linux Bash Reverse Shell, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Suspicious File Name, PowerShell Credential Prompt, Elise Backdoor, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Aspnet Compiler, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Powershell Web Request, Suspicious Outlook Child Process, Python Offensive Tools and Packages"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, LokiBot Default C2 URL, Sliver DNS Beaconing, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike DNS Beaconing, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Python HTTP Server, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, EvilProxy Phishing Domain, Correlation Suspicious Authentication Coercer Behavior, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious Hostname"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Download Files From Suspicious TLDs, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Medium Threat, HarfangLab EDR High Level Rule Detection, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Critical Threat, Exploit For CVE-2015-1641, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Threat, IcedID Execution Using Excel, HTA Infection Chains, Winword Document Droppers, ISO LNK Infection Chain, Explorer Process Executing HTA File, ZIP LNK Infection Chain, HarfangLab EDR Low Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Hlai Engine Detection, Suspicious Outlook Child Process, HarfangLab EDR Process Execution Blocked (HL-AI engine)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Medium Threat, HarfangLab EDR High Level Rule Detection, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, HarfangLab EDR Critical Threat, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Threat, IcedID Execution Using Excel, Winword Document Droppers, Explorer Process Executing HTA File, HarfangLab EDR Low Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR Process Execution Blocked (HL-AI engine)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Antivirus Web Shell Detection, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Elevated Shell Launched By Browser, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Malicious PowerShell Keywords, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, PowerShell Credential Prompt, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Windows Suspicious Scheduled Task Creation, Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Malware Protection Engine Crash, ETW Tampering, Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Defender Deactivation Using PowerShell Script, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, FLTMC command usage, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Tampering Detected, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, IcedID Execution Using Excel, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Malware Protection Engine Crash, Package Manager Alteration, Windows Defender Deactivation Using PowerShell Script, Netsh Port Opening, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, System Network Connections Discovery, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Credentials Extraction, PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, User Added to Local Administrators, Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Remote Registry Management Using Reg Utility, RedMimicry Winnti Playbook Registry Manipulation, Disable Workstation Lock, Blue Mockingbird Malware, Chafer (APT 39) Activity, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, RDP Sensitive Settings Changed, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, RDP Port Change Using Powershell, FlowCloud Malware, LanManServer Registry Modify, Ursnif Registry Key"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Mshta Command From A Scheduled Task, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Chafer (APT 39) Activity, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Chafer (APT 39) Activity, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious PsExec Execution, Taskhostw Wrong Parent, Wininit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Smbexec.py Service Installation, Csrss Child Found, Correlation Impacket Smbexec, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious PsExec Execution, Taskhostw Wrong Parent, Exfiltration Via Pscp, Wininit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Microsoft Defender Antivirus Threat Detected, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Windows Update LolBins, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Smbexec.py Service Installation, Csrss Child Found, Correlation Impacket Smbexec, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Rubeus Tool Command-line, Possible Replay Attack, Rubeus Register New Logon Process"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Lateral Movement Remote Named Pipe, Protected Storage Service Access, RDP Login From Localhost, Admin Share Access, MMC20 Lateral Movement, Correlation Impacket Smbexec, MMC Spawning Windows Shell, RDP Port Change Using Powershell"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Remote Enumeration Of Lateral Movement Groups, Active Directory Data Export Using Csvde, AD User Enumeration, PowerView commandlets 2, Reconnaissance Commands Activities, Discovery Commands Correlation, Remote Privileged Group Enumeration, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Credential Dump Tools Related Files, Password Dumper Activity On LSASS, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Impacket Secretsdump.py Tool, Process Memory Dump Using Comsvcs, Malicious Service Installations, Password Dumper Activity On LSASS, Cmdkey Cached Credentials Recon, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Transfering Files With Credential Data Via Network Shares, Credential Dump Tools Related Files, Copying Browser Files With Credentials, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Listing Systemd Environment, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Web Application Launching Shell, Lazarus Loaders, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Netscan Share Access Artefact, Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, Powershell Winlogon Helper DLL, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access, Lateral Movement Remote Named Pipe, Protected Storage Service Access, Correlation Impacket Smbexec"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD User Enumeration, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, User Added to Local Administrators, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Privileged AD Builtin Group Modified, SSH Authorized Key Alteration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Eventlog Cleared, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, Privileged AD Builtin Group Modified, User Account Deleted"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Shell PID Injection, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Credentials Extraction, Adexplorer Usage, Remote Registry Management Using Reg Utility, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292, Successful Brute Force Login From Internet"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Python Offensive Tools and Packages, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Elise Backdoor, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution, Trickbot Malware Activity, Suspicious Taskkill Command, Microsoft Office Spawning Script, Suspicious Outlook Child Process, PowerShell Credential Prompt, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell NTFS Alternate Data Stream, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Web Application Launching Shell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, QakBot Process Creation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious File Name, PowerShell Malicious PowerShell Commandlets, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Creating Suspicious File, PowerShell Commands Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Threat Detected, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater, Detect requests to Konni C2 servers, Python HTTP Server, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, DNS Exfiltration and Tunneling Tools Execution, Cobalt Strike DNS Beaconing, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Chafer (APT 39) Activity, Cryptomining, Potential LokiBot User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior, Possible RottenPotato Attack, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway, Suspicious Hostname"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Python HTTP Server, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, RDP Configuration File From Mail Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Download Files From Suspicious TLDs, HarfangLab EDR Medium Level Rule Detection, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat, HarfangLab EDR Medium Threat, ZIP LNK Infection Chain, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Critical Level Rule Detection, HTA Infection Chains, IcedID Execution Using Excel, HarfangLab EDR High Threat, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, ISO LNK Infection Chain, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Download Files From Suspicious TLDs, HarfangLab EDR Medium Level Rule Detection, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat, HarfangLab EDR Medium Threat, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Critical Level Rule Detection, IcedID Execution Using Excel, HarfangLab EDR High Threat, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Microsoft IIS Module Installation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Suspicious certutil command, Rclone Process, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Screenconnect Remote Execution, Suspicious Taskkill Command, PowerShell Credential Prompt, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell NTFS Alternate Data Stream, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, TrustedInstaller Impersonation, FLTMC command usage, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MOFComp Execution, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, IcedID Execution Using Excel, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, Windows Defender Deactivation Using PowerShell Script, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, TrustedInstaller Impersonation, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets, System Network Connections Discovery, Adidnsdump Enumeration, Remote System Discovery Via Telnet"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, WMI Event Subscription, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added to Local Administrators, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, DNS ServerLevelPluginDll Installation, RDP Port Change Using Powershell, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, Ursnif Registry Key, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Suspicious Desktopimgdownldr Execution, Remote Registry Management Using Reg Utility, Wdigest Enable UseLogonCredential, Chafer (APT 39) Activity, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Chafer (APT 39) Activity, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Chafer (APT 39) Activity, Taskhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Suspicious DNS Child Process, Suspicious PsExec Execution, Smbexec.py Service Installation, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Correlation Impacket Smbexec, Taskhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Lsass Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Suspicious DNS Child Process, Suspicious PsExec Execution, Smbexec.py Service Installation, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Microsoft Defender Antivirus Threat Detected, Correlation Impacket Smbexec, Taskhost Wrong Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, WMI Fingerprint Commands, WMImplant Hack Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Rubeus Register New Logon Process, Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, Lateral Movement Remote Named Pipe, RDP Port Change Using Powershell, RDP Login From Localhost, MMC20 Lateral Movement, Remote Service Activity Via SVCCTL Named Pipe, Correlation Impacket Smbexec, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, Reconnaissance Commands Activities, PowerView commandlets 2, AD User Enumeration, PowerView commandlets 1, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection, Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Password Dumper Activity On LSASS, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Password Dumper Activity On LSASS, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Windows Credential Editor Registry Key, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Transfering Files With Credential Data Via Network Shares, Malicious Service Installations, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Mimikatz Basic Commands, Cmdkey Cached Credentials Recon, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Copying Browser Files With Credentials, Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Discovery Commands Correlation, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line, Web Application Launching Shell, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Screenconnect Remote Execution, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Netscan Share Access Artefact, Network Share Discovery"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Phosphorus Domain Controller Discovery, Trickbot Malware Activity"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Remote Registry Management Using Reg Utility, Putty Sessions Listing"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Lateral Movement Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe, Correlation Impacket Smbexec, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, AD User Enumeration, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, User Added to Local Administrators, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, High Privileges Network Share Removal, Eventlog Cleared, Erase Shell History, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, Shell PID Injection, COM Hijack Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Credentials Extraction, Linux Suspicious Search, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, CVE 2022-1292"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
index ab6f25390d..478b61b4fe 100644
--- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, Sekoia.io EICAR Detection, AWS GuardDuty High Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty High Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
index c45f50ab4b..533eb698ea 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Detected, Sophos EDR CorePUA Clean, Sophos EDR CorePUA Detection, Sophos EDR Application Blocked, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Sophos EDR CorePUA Detection, Sophos EDR Application Detected, Sophos EDR CorePUA Clean, Sophos EDR Application Blocked"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
index 0add1cf526..aca49163e7 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
index 076f778070..4f5f2ba06e 100644
--- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Suspicious File Name, Socat Relaying Socket"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), LokiBot Default C2 URL, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default GET beaconing, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Potential Lemon Duck User-Agent, Dynamic DNS Contacted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Suspicious File Name, Sekoia.io EICAR Detection, Socat Relaying Socket"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default GET beaconing, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Cryptomining, Potential LokiBot User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
index edbb0f900f..8e8a83a356 100644
--- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Spawning Script, Web Application Launching Shell, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Interactive Terminal Spawned via Python, Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Malicious PowerShell Keywords, Socat Relaying Socket, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, Linux Bash Reverse Shell, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, PowerShell Credential Prompt, Elise Backdoor, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Aspnet Compiler, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Powershell Web Request, Suspicious Outlook Child Process, Python Offensive Tools and Packages"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, Suspicious DNS Child Process, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Detect requests to Konni C2 servers, Suspicious Windows DNS Queries, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Spawning Script, ZIP LNK Infection Chain, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, ISO LNK Infection Chain, IcedID Execution Using Excel, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Suspicious Outlook Child Process"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Suspicious Windows DNS Queries, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Elevated Shell Launched By Browser, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Malicious PowerShell Keywords, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, PowerShell Credential Prompt, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Exfiltration Via Pscp, Wininit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Windows Update LolBins, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Defender Deactivation Using PowerShell Script, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, FLTMC command usage, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, IcedID Execution Using Excel, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Package Manager Alteration, Windows Defender Deactivation Using PowerShell Script, Netsh Port Opening, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, System Network Connections Discovery, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, NetNTLM Downgrade Attack, RedMimicry Winnti Playbook Registry Manipulation, Disable Workstation Lock, Blue Mockingbird Malware, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, RDP Port Change Using Powershell, FlowCloud Malware, LanManServer Registry Modify, Ursnif Registry Key"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Credentials Extraction, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Mshta Command From A Scheduled Task, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell, RDP Port Change Using Powershell"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, Reconnaissance Commands Activities, Discovery Commands Correlation, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Listing Systemd Environment, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Load Of dbghelp/dbgcore DLL From Suspicious Process, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Credential Editor Registry Key, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Dumpert LSASS Process Dumper, Cmdkey Cached Credentials Recon, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Copying Browser Files With Credentials, Load Of dbghelp/dbgcore DLL From Suspicious Process, HackTools Suspicious Names, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Web Application Launching Shell, Lazarus Loaders, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Shell PID Injection, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass via Event Viewer, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Credentials Extraction, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Python Offensive Tools and Packages, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Elise Backdoor, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution, Trickbot Malware Activity, Suspicious Taskkill Command, Microsoft Office Spawning Script, Suspicious Outlook Child Process, PowerShell Credential Prompt, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell NTFS Alternate Data Stream, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Web Application Launching Shell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, QakBot Process Creation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, PowerShell Malicious PowerShell Commandlets, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Commands Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Detect requests to Konni C2 servers, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, RDP Configuration File From Mail Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, ZIP LNK Infection Chain, IcedID Execution Using Excel, HTA Infection Chains, ISO LNK Infection Chain, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft IIS Module Installation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Suspicious certutil command, Rclone Process, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Screenconnect Remote Execution, Suspicious Taskkill Command, PowerShell Credential Prompt, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell NTFS Alternate Data Stream, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, WMI Persistence Command Line Event Consumer, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, WMI Persistence Command Line Event Consumer, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Usage Of Procdump With Common Arguments, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Lsass Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Winrshost Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, TrustedInstaller Impersonation, FLTMC command usage, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MOFComp Execution, Suspicious Control Process, Suspicious Taskkill Command, CMSTP Execution, IcedID Execution Using Excel, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, Windows Defender Deactivation Using PowerShell Script, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, TrustedInstaller Impersonation, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets, System Network Connections Discovery, Adidnsdump Enumeration, Remote System Discovery Via Telnet"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Disabling SmartScreen Via Registry, Disable Workstation Lock, DNS ServerLevelPluginDll Installation, RDP Port Change Using Powershell, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, Ursnif Registry Key, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, WMI Fingerprint Commands, WMImplant Hack Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Discovery Commands Correlation, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Dumpert LSASS Process Dumper, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, NetNTLM Downgrade Attack, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Dumpert LSASS Process Dumper, Windows Credential Editor Registry Key, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Mimikatz Basic Commands, Cmdkey Cached Credentials Recon, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Load Of dbghelp/dbgcore DLL From Suspicious Process, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line, Web Application Launching Shell, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Screenconnect Remote Execution, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Microsoft Office Macro Security Registry Modifications, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Phosphorus Domain Controller Discovery, Trickbot Malware Activity"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, Shell PID Injection, COM Hijack Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Credentials Extraction, Linux Suspicious Search"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Mimikatz Basic Commands, Add User to Privileged Group"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
index 0db6bef39c..aff0eec790 100644
--- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Bloodhound and Sharphound Tools Usage, AutoIt3 Execution From Suspicious Folder, Socat Relaying Socket"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Suspicious Windows DNS Queries, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Terminate, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Suspicious Windows DNS Queries, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, SELinux Disabling, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, SELinux Disabling, Disabled Service"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Sekoia.io EICAR Detection, Socat Relaying Socket, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Blocked"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Disabled Service"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
index 6ce013d69c..4ab33931c7 100644
--- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, TrevorC2 HTTP Communication"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
index 9fb550caa6..5dad3521dd 100644
--- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
index 773a105bc2..211e3a9257 100644
--- a/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tenable Identity Exposure / Alsid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Tenable Identity Exposure / Alsid Critical Severity Alert, Tenable Identity Exposure / Alsid High Severity Alert"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tenable Identity Exposure / Alsid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Tenable Identity Exposure / Alsid High Severity Alert, Tenable Identity Exposure / Alsid Critical Severity Alert"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
index 9bf86968e8..2406182168 100644
--- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Suspicious File Name, Socat Relaying Socket, Aspnet Compiler"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), LokiBot Default C2 URL, Sliver DNS Beaconing, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default GET beaconing, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Potential Lemon Duck User-Agent, Dynamic DNS Contacted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Suspicious File Name, Sekoia.io EICAR Detection, Aspnet Compiler, Socat Relaying Socket"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default GET beaconing, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Cryptomining, Potential LokiBot User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
index 52bc24376b..a3863c9c28 100644
--- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cato Networks SASE High Risk Alert, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, Cato Networks SASE High Risk Alert, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
index 4daed18035..890c9377de 100644
--- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Malware But Allowed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Spam But Allowed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Spam But Allowed, Proofpoint TAP Email Classified As Malware But Allowed, Proofpoint TAP Email Classified As Phishing But Allowed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
index ad4e382235..ccbc91517c 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sesame it Jizo NDR [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Alert High Severity Sesame it Jizo NDR, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sesame it Jizo NDR [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Alert High Severity Sesame it Jizo NDR"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
index 5a2b81a0d4..66812974d1 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions, WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions, WAF Block Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
index bb18f4296b..027997b6b0 100644
--- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (MultiScan), Download Files From Non-Legitimate TLDs, Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Download Files From Non-Legitimate TLDs, Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
index 369d3877e5..7c9ce490cc 100644
--- a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
index ab3a88352e..f6da4c5be6 100644
--- a/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Load Balancing [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Load Balancing [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
index 51e17af1e7..0e6886cb30 100644
--- a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
index b1c6c8214a..7c88e1e72f 100644
--- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
index dad1ed308f..2b370388b7 100644
--- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortigate Firewall Successful External Login, RSA SecurID Failed Authentification, Fortigate Firewall Login In Failure, Login Brute-Force On Firewall"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Correlation Fortigate Multi Alert From One Internal Ip, Fortigate IPS Critical Alert, Burp Suite Tool Detected, Fortigate IPS High Severity Alert, Correlation Fortigate Multi Dest From One Internal Ip, Internet Scanner"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, ISO LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Fortigate Firewall Successful External Login, Account Removed From A Security Enabled Group, Login Brute-Force On Firewall, Account Added To A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Fortigate Firewall Login In Failure, Login Brute-Force On Firewall, Fortigate Firewall Successful External Login"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Nimbo-C2 User Agent, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Fortigate IPS Critical Alert, Correlation Fortigate Multi Dest From One Internal Ip, Internet Scanner Target, Fortigate IPS High Severity Alert, Correlation Fortigate Multi Alert From One Internal Ip"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Fortigate Firewall Successful External Login"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
index 87574dac44..49510b9536 100644
--- a/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Bitsight SPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Bitsight SPM Severe Vulnerability, Bitsight SPM Moderate Vulnerability, Bitsight SPM Material Vulnerability, Bitsight SPM Minor Vulnerability"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Bitsight SPM Severe Vulnerability, Bitsight SPM Moderate Vulnerability, Bitsight SPM Material Vulnerability, Bitsight SPM Minor Vulnerability"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Bitsight SPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Bitsight SPM Minor Vulnerability, Bitsight SPM Material Vulnerability, Bitsight SPM Moderate Vulnerability, Bitsight SPM Severe Vulnerability"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Bitsight SPM Minor Vulnerability, Bitsight SPM Material Vulnerability, Bitsight SPM Moderate Vulnerability, Bitsight SPM Severe Vulnerability"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
index bd7891109f..3d673d3f27 100644
--- a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security High Severity Alert, Lacework Cloud Security Low Severity Alert, Lacework Cloud Security Medium Severity Alert"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security High Severity Alert, Lacework Cloud Security Low Severity Alert, Lacework Cloud Security Medium Severity Alert"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security Low Severity Alert, Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security High Severity Alert"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security Low Severity Alert, Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security High Severity Alert"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
index 6605bae0f5..823f8fe8ad 100644
--- a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
index 547a898fc9..6cdede5fd6 100644
--- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Suspicious File Name, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, SELinux Disabling, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, SELinux Disabling, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Active Directory Data Export Using Csvde, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, Suspicious File Name, Microsoft Office Creating Suspicious File, PowerShell Commands Invocation, Sysprep On AppData Folder, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft IIS Module Installation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Mimikatz Basic Commands, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
index 0a705cc401..7dd045387f 100644
--- a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Web Application Launching Shell, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Suspicious File Name, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Aspnet Compiler, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Powershell Web Request, Suspicious Outlook Child Process, Python Offensive Tools and Packages"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, FLTMC command usage, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, IcedID Execution Using Excel, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Package Manager Alteration, Netsh Port Opening, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, RDP Sensitive Settings Changed, Blue Mockingbird Malware, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Mshta Command From A Scheduled Task, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, New Service Creation, Logonui Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, New Service Creation, Logonui Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Exfiltration Via Pscp, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Windows Update LolBins, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Suspicious Outlook Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Web Application Launching Shell, Lazarus Loaders, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, Powershell Winlogon Helper DLL, Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Active Directory Data Export Using Csvde, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution, Trickbot Malware Activity, Suspicious Taskkill Command, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Web Application Launching Shell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, QakBot Process Creation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious File Name, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Creating Suspicious File, PowerShell Commands Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, FLTMC command usage, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MOFComp Execution, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, IcedID Execution Using Excel, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Lsass Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, WMImplant Hack Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Mimikatz Basic Commands, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line, Web Application Launching Shell, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Screenconnect Remote Execution, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Powershell Winlogon Helper DLL, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Trickbot Malware Activity"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Mimikatz Basic Commands, Add User to Privileged Group"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
index a1a3a253bd..e952e7ded8 100644
--- a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
index c9e8564a50..d3926efe48 100644
--- a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
index bde0402d93..90a69d4a80 100644
--- a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
index 9a2ca0dee3..e6807bbf09 100644
--- a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
index 558848c197..57092b8a9b 100644
--- a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
index 1910abd7a8..7634a7ed7b 100644
--- a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Koadic MSHTML Command"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.json
index eb9e8af31e..1018a95481 100644
--- a/_shared_content/operations_center/detection/generated/attack_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_64d118f0-84a5-4f46-ab05-7776bd6d0eed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Clavister NGFW [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Clavister NGFW [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
index dc70865ca8..2e20140a89 100644
--- a/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Application Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Application Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
index 986786b40f..b194d2414d 100644
--- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions, WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions, WAF Block Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
index 5c2308d8ac..b8cba08d2a 100644
--- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Linux Bash Reverse Shell, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Brute Force WALLIX Bastion"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Control Panel Items, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Pandemic Windows Implant, Rclone Process, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Socat Reverse Shell Detection, FromBase64String Command Line, Lazarus Loaders, Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Linux Bash Reverse Shell, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Brute Force WALLIX Bastion"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Control Panel Items, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Suspicious Taskkill Command, Equation Group DLL_U Load"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Mimikatz Basic Commands, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Rclone Process, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
index 02b1ffb213..dd2a912563 100644
--- a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
index 18b8e7226c..f244266841 100644
--- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions, WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions, WAF Block Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
index 7815d3b0f7..4e2f3e9c7c 100644
--- a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
index aa4837a462..1cdcb80e50 100644
--- a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
index ac8922e892..c736471d38 100644
--- a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
index 69b23e1e1c..12cceafde0 100644
--- a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Malspam Execution Registering Malicious DLL, Python Offensive Tools and Packages"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, TOR Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Active Directory Data Export Using Csvde, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Sysprep On AppData Folder, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, TOR Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious Taskkill Command, CMSTP Execution, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Mimikatz Basic Commands, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Mimikatz Basic Commands, Add User to Privileged Group"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
index 4b806d04d5..0cc1b12c2f 100644
--- a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
index ccb8ddc78f..102f7b65d2 100644
--- a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
index ec7bae5a1b..a389884268 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cloudflare Gateway DNS Query Allowed to Malicious Domain, Correlation Potential DNS Tunnel, Cloudflare Gateway DNS Query Blocked to Malicious Domain, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cloudflare Gateway DNS Query Blocked to Malicious Domain, Cloudflare Gateway DNS Query Allowed to Malicious Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cloudflare Gateway DNS Query Allowed to Malicious Domain, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cloudflare Gateway DNS Query Blocked to Malicious Domain, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cloudflare Gateway DNS Query Allowed to Malicious Domain, Cloudflare Gateway DNS Query Blocked to Malicious Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
index 79884db361..70de4165d4 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Varonis Many File Created and Deleted, Varonis Massive Dowloads By A Single User"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Varonis Many Accounts Disabled"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, WCE wceaux.dll Creation, HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Varonis Many File Created and Deleted, Varonis Massive Dowloads By A Single User"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Varonis Many Accounts Disabled"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Cobalt Strike Default Beacons Names, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Process Trace Alteration, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
index 2fb4db2812..060e2014d8 100644
--- a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
index 90188766fd..445aacd88e 100644
--- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Delete Action, GitHub Outside Collaborator Detected, GitHub New Organization Member"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Delete Action, GitHub Outside Collaborator Detected, GitHub New Organization Member"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub Delete Action"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub Delete Action"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
index 393d284684..24709f9fbb 100644
--- a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
index ac4c27ebda..35ffb624da 100644
--- a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
index 0b89f5bb23..dea1c892a0 100644
--- a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
index 81ab1ee6da..c1e01353c1 100644
--- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
index c7f027acc7..29fe624d91 100644
--- a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, WCE wceaux.dll Creation, HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Process Trace Alteration, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
index 5fdde30d15..ee1133b8b0 100644
--- a/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Thinkst Canary [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Suspicious File Name, Socat Relaying Socket"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Thinkst Canary [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Suspicious File Name, Sekoia.io EICAR Detection, Socat Relaying Socket"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
index e6c6021a97..a707caa9cf 100644
--- a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
index 044c09f75f..634d7f2478 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
index fa1b317831..e9ebb06f84 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, TEHTRIS EDR Alert, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Suspicious File Name, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, TEHTRIS EDR Alert, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, SolarWinds Suspicious File Creation, TEHTRIS EDR Alert, OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Active Directory Data Export Using Csvde, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, TEHTRIS EDR Alert, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, Suspicious File Name, Microsoft Office Creating Suspicious File, PowerShell Commands Invocation, Sysprep On AppData Folder, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, TEHTRIS EDR Alert, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Suspicious certutil command, Rclone Process, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, TEHTRIS EDR Alert, Exfiltration Via Pscp, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Mimikatz Basic Commands, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
index 46e3166fda..05297014d0 100644
--- a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cisco Umbrella Threat Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
index bc1820c2fe..b4d8a87414 100644
--- a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block Multiple Destinations, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Internet Scanner Target, WAF Correlation Block Multiple Destinations, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Authentication Impossible Travel, Login Brute-Force On Firewall"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console, ISO LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel, Account Removed From A Security Enabled Group, Login Brute-Force On Firewall, Account Added To A Security Enabled Group"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, WCE wceaux.dll Creation, HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block Multiple Destinations, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, WAF Correlation Block Multiple Destinations, Burp Suite Tool Detected, WAF Correlation Block actions, Internet Scanner Target"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Login Brute-Force On Firewall, Authentication Impossible Travel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Authentication Impossible Travel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Process Trace Alteration, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
index 3d06c50812..948088859b 100644
--- a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
index 6ff0ac6299..6cd9ba0a9d 100644
--- a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
index ee83a15ca4..dcf470831a 100644
--- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Web Application Launching Shell, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Turla Named Pipes, Generic-reverse-shell-oneliner, WMI DLL Loaded Via Office, Suspicious Cmd.exe Command Line, Suspicious Scripting In A WMI Consumer, Microsoft Defender Antivirus Threat Detected, Interactive Terminal Spawned via Python, Login Brute-Force Successful On SentinelOne EDR Management Console, Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Malicious PowerShell Keywords, Socat Relaying Socket, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, Linux Bash Reverse Shell, WMIC Uninstall Product, Suspicious DLL Loaded Via Office Applications, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Correlation Supicious Powershell Drop and Exec, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Suspicious File Name, Detection of default Mimikatz banner, PowerShell Credential Prompt, Elise Backdoor, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Suspicious XOR Encoded PowerShell Command Line, In-memory PowerShell, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Aspnet Compiler, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Powershell Web Request, Suspicious Outlook Child Process"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Correlation Internal Kerberos Password Spraying, Successful Brute Force Login From Internet, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Suspicious LDAP-Attributes Used, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Python HTTP Server, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Suspicious URL Requested By Curl Or Wget Commands, Impacket Addcomputer, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, EvilProxy Phishing Domain, Correlation Suspicious Authentication Coercer Behavior, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule, Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, TUN/TAP Driver Installation, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Audit CVE Event, Download Files From Suspicious TLDs, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Medium Threat, Download Files From Non-Legitimate TLDs, HarfangLab EDR High Level Rule Detection, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Critical Threat, Exploit For CVE-2015-1641, Login Brute-Force Successful On SentinelOne EDR Management Console, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Threat, IcedID Execution Using Excel, HTA Infection Chains, Suspicious DLL Loaded Via Office Applications, Winword Document Droppers, ISO LNK Infection Chain, Explorer Process Executing HTA File, ZIP LNK Infection Chain, HarfangLab EDR Low Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Hlai Engine Detection, Suspicious Outlook Child Process, HarfangLab EDR Process Execution Blocked (HL-AI engine)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, HarfangLab EDR Medium Threat, Download Files From Non-Legitimate TLDs, HarfangLab EDR High Level Rule Detection, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, HarfangLab EDR Critical Threat, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR High Threat, IcedID Execution Using Excel, Suspicious DLL Loaded Via Office Applications, Winword Document Droppers, Explorer Process Executing HTA File, HarfangLab EDR Low Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR Process Execution Blocked (HL-AI engine)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Antivirus Web Shell Detection"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Antivirus Web Shell Detection"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Execution From Suspicious Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character, Possible Malicious File Double Extension, Unsigned Driver Loaded From Suspicious Location"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious PsExec Execution, Taskhostw Wrong Parent, Exfiltration Via Pscp, Wininit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Microsoft Defender Antivirus Threat Detected, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Login Brute-Force Successful On SentinelOne EDR Management Console, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Windows Update LolBins, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Smbexec.py Service Installation, Csrss Child Found, Correlation Impacket Smbexec, Metasploit PSExec Service Creation, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Windows Suspicious Service Creation, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Taskhost Wrong Parent, Credential Dumping Tools Service Execution, OneNote Suspicious Children Process, Winlogon wrong parent, Check Point Harmony Mobile Application Forbidden, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Elevated Shell Launched By Browser, Svchost DLL Search Order Hijack, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Turla Named Pipes, Malicious PowerShell Keywords, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Invocations - Generic, Detection of default Mimikatz banner, PowerShell Credential Prompt, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Suspicious XOR Encoded PowerShell Command Line, In-memory PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Process Hollowing Detection, Svchost Wrong Parent, Taskhostw Wrong Parent, Cobalt Strike Named Pipes, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Malicious Named Pipe, Process Herpaderping, Smss Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Dynwrapx Module Loading, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Mshta Command From A Scheduled Task, MavInject Process Injection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Active Directory Replication User Backdoor, User Added to Local Administrators, Active Directory User Backdoors, Active Directory Delegate To KRBTGT Service, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Creation or Modification of a GPO Scheduled Task, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe, Creation or Modification of a GPO Scheduled Task, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Windows Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Credential Editor Registry Key, RedMimicry Winnti Playbook Dropped File, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Impacket Secretsdump.py Tool, Dumpert LSASS Process Dumper, Credential Dumping By LaZagne, Active Directory Database Dump Via Ntdsutil, Process Memory Dump Using Comsvcs, Malicious Service Installations, Password Dumper Activity On LSASS, Cmdkey Cached Credentials Recon, Process Trace Alteration, LSASS Memory Dump File Creation, HackTools Suspicious Process Names In Command Line, DCSync Attack, Lsass Access Through WinRM, Unsigned Image Loaded Into LSASS Process, WCE wceaux.dll Creation, DPAPI Domain Backup Key Extraction, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, LSASS Access From Non System Account, Rubeus Tool Command-line, Active Directory Replication from Non Machine Account, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Credential Dumping Tools Service Execution, NTDS.dit File In Suspicious Directory, Transfering Files With Credential Data Via Network Shares, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Mimikatz LSASS Memory Access, Load Of dbghelp/dbgcore DLL From Suspicious Process, Suspicious SAM Dump, HackTools Suspicious Names, LSASS Memory Dump, SAM Registry Hive Handle Request, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, APT29 Fake Google Update Service Install, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Chafer (APT 39) Activity, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, APT29 Fake Google Update Service Install, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Chafer (APT 39) Activity, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious PsExec Execution, Taskhostw Wrong Parent, Wininit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Smbexec.py Service Installation, Csrss Child Found, Correlation Impacket Smbexec, Metasploit PSExec Service Creation, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Windows Suspicious Service Creation, Dllhost Wrong Parent, Taskhost Wrong Parent, Credential Dumping Tools Service Execution, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Python Opening Ports, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Malware Protection Engine Crash, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Defender Deactivation Using PowerShell Script, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, FLTMC command usage, Netsh RDP Port Opening, Suspect Svchost Memory Access, Microsoft Defender Antivirus Configuration Changed, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Disable Security Events Logging Adding Reg Key MiniNt, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Tampering Detected, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Python Opening Ports, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Dynwrapx Module Loading, Equation Group DLL_U Load, IcedID Execution Using Excel, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Malware Protection Engine Crash, Windows Defender Deactivation Using PowerShell Script, Netsh Port Opening, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, System Network Connections Discovery, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Disable Workstation Lock, Suspicious New Printer Ports In Registry, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Suspicious Desktopimgdownldr Execution, LanManServer Registry Modify, Ursnif Registry Key, Disabling SmartScreen Via Registry, Remote Registry Management Using Reg Utility, Blue Mockingbird Malware, Disable Security Events Logging Adding Reg Key MiniNt, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation, RDP Port Change Using Powershell, Wdigest Enable UseLogonCredential, Chafer (APT 39) Activity, DHCP Callout DLL Installation, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper, LSASS Memory Dump File Creation, Credential Dumping By LaZagne, Windows Credential Editor Registry Key, Credential Dumping Tools Service Execution, Process Memory Dump Using Createdump, Credential Dumping-Tools Common Named Pipes, Lsass Access Through WinRM, Credential Dump Tools Related Files, Unsigned Image Loaded Into LSASS Process, Mimikatz LSASS Memory Access, LSASS Access From Non System Account, Load Of dbghelp/dbgcore DLL From Suspicious Process, Password Dumper Activity On LSASS, LSASS Memory Dump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Credentials Extraction, PasswordDump SecurityXploded Tool, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, User Added to Local Administrators, Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Denied Access To Remote Desktop, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, Svchost DLL Search Order Hijack, Werfault DLL Injection, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, RedMimicry Winnti Playbook Dropped File, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, SAM Registry Hive Handle Request, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI DLL Loaded Via Office, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Register New Logon Process, Suspicious TGS requests (Kerberoasting), Possible Replay Attack, Suspicious Outbound Kerberos Connection, Kerberos Pre-Auth Disabled in UAC, Suspicious Kerberos Ticket"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Suspicious Certificate Request-adcs Abuse"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Lateral Movement Remote Named Pipe, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, RDP Login From Localhost, Admin Share Access, MMC20 Lateral Movement, Correlation Impacket Smbexec, Lsass Access Through WinRM, MMC Spawning Windows Shell, Denied Access To Remote Desktop, RDP Port Change Using Powershell, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Remote Enumeration Of Lateral Movement Groups, Active Directory Data Export Using Csvde, AD User Enumeration, PowerView commandlets 2, Reconnaissance Commands Activities, AD Privileged Users Or Groups Reconnaissance, Discovery Commands Correlation, Remote Privileged Group Enumeration, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files, DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Listing Systemd Environment, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Web Application Launching Shell, Lazarus Loaders, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Netscan Share Access Artefact, Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Suspicious DLL Loaded Via Office Applications, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, RUN Registry Key Created From Suspicious Folder, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Malware Persistence Registry Key, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, Powershell Winlogon Helper DLL, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Malware Persistence Registry Key, Kernel Module Alteration, NjRat Registry Changes, Narrator Feedback-Hub Persistence, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: GPO Executable Delivery, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, SCM Database Handle Failure, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Suspicious Taskkill Command, Putty Sessions Listing, SysKey Registry Keys Access"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Lateral Movement Remote Named Pipe, Protected Storage Service Access, Admin Share Access, Correlation Impacket Smbexec, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Discovery Commands Correlation"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Secure Deletion With SDelete, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, Cookies Deletion, ETW Tampering, Eventlog Cleared, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, RDP Port Change Using Powershell, Denied Access To Remote Desktop"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, Privileged AD Builtin Group Modified, User Account Deleted"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, AD Object WriteDAC Access, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass via Event Viewer, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Credentials Extraction, Adexplorer Usage, Remote Registry Management Using Reg Utility, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account, DCSync Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292, Successful Brute Force Login From Internet"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, Malicious PowerShell Keywords, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Suspicious Scripting In A WMI Consumer, Aspnet Compiler, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Suspicious DLL Loaded Via Office Applications, Elise Backdoor, Detection of default Mimikatz banner, Suspicious Cmd.exe Command Line, Turla Named Pipes, Screenconnect Remote Execution, Trickbot Malware Activity, Suspicious Taskkill Command, Microsoft Office Spawning Script, Suspicious Outlook Child Process, PowerShell Credential Prompt, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, In-memory PowerShell, Interactive Terminal Spawned via Python, PowerShell NTFS Alternate Data Stream, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Alternate PowerShell Hosts Pipe, Web Application Launching Shell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, WMI DLL Loaded Via Office, Microsoft Defender Antivirus Disabled Base64 Encoded, Generic-reverse-shell-oneliner, QakBot Process Creation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious File Name, PowerShell Malicious PowerShell Commandlets, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Creating Suspicious File, PowerShell Commands Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Threat Detected, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Login Brute-Force Successful On SentinelOne EDR Management Console, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Successful Brute Force Login From Internet, Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater, Detect requests to Konni C2 servers, Python HTTP Server, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, Suspicious LDAP-Attributes Used, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, Covenant Default HTTP Beaconing, Chafer (APT 39) Activity, Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious URL Requested By Curl Or Wget Commands, User Account Created, Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior, Possible RottenPotato Attack, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, TOR Usage, Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Python HTTP Server, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, TUN/TAP Driver Installation, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, RDP Configuration File From Mail Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Audit CVE Event"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Download Files From Suspicious TLDs, HarfangLab EDR Medium Level Rule Detection, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat, HarfangLab EDR Medium Threat, ZIP LNK Infection Chain, Suspicious DLL Loaded Via Office Applications, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, HarfangLab EDR Critical Level Rule Detection, HTA Infection Chains, IcedID Execution Using Excel, HarfangLab EDR High Threat, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, ISO LNK Infection Chain, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), Download Files From Suspicious TLDs, HarfangLab EDR Medium Level Rule Detection, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, HarfangLab EDR Critical Threat, HarfangLab EDR Medium Threat, Suspicious DLL Loaded Via Office Applications, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, HarfangLab EDR Critical Level Rule Detection, IcedID Execution Using Excel, HarfangLab EDR High Threat, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Suspicious certutil command, Rclone Process, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Unsigned Driver Loaded From Suspicious Location, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Execution From Suspicious Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Windows Suspicious Service Creation, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Metasploit PSExec Service Creation, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Credential Dumping Tools Service Execution, Lsass Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Suspicious DNS Child Process, Suspicious PsExec Execution, Smbexec.py Service Installation, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Check Point Harmony Mobile Application Forbidden, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Microsoft Defender Antivirus Threat Detected, Correlation Impacket Smbexec, Taskhost Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Dynamic Linker Hijacking From Environment Variable, Werfault DLL Injection, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Windows Registry Persistence COM Search Order Hijacking, Hijack Legit RDP Session To Move Laterally, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Detection of default Mimikatz banner, Turla Named Pipes, Screenconnect Remote Execution, Suspicious Taskkill Command, PowerShell Credential Prompt, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, In-memory PowerShell, PowerShell NTFS Alternate Data Stream, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Alternate PowerShell Hosts Pipe, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Malicious Named Pipe, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Cobalt Strike Named Pipes, Taskhost Wrong Parent, Process Herpaderping, MavInject Process Injection, Process Hollowing Detection, Address Space Layout Randomization (ASLR) Alteration, Dynwrapx Module Loading, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Replication User Backdoor, Mimikatz Basic Commands, Active Directory Delegate To KRBTGT Service, User Added to Local Administrators, Active Directory User Backdoors, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, Credential Dumping-Tools Common Named Pipes, Copying Sensitive Files With Credential Data, LSASS Memory Dump, Grabbing Sensitive Hives Via Reg Utility, Lsass Access Through WinRM, RedMimicry Winnti Playbook Dropped File, Password Dumper Activity On LSASS, NetNTLM Downgrade Attack, Unsigned Image Loaded Into LSASS Process, Copying Browser Files With Credentials, SAM Registry Hive Handle Request, Active Directory Database Dump Via Ntdsutil, Process Memory Dump Using Rdrleakdiag, DPAPI Domain Backup Key Extraction, NTDS.dit File In Suspicious Directory, DCSync Attack, Dumpert LSASS Process Dumper, Credential Dumping Tools Service Execution, Windows Credential Editor Registry Key, Suspicious SAM Dump, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Transfering Files With Credential Data Via Network Shares, Malicious Service Installations, LSASS Memory Dump File Creation, Suspicious CommandLine Lsassy Pattern, Credential Dumping By LaZagne, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation, Mimikatz LSASS Memory Access, Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Mimikatz Basic Commands, Cmdkey Cached Credentials Recon, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Load Of dbghelp/dbgcore DLL From Suspicious Process, Wdigest Enable UseLogonCredential, LSASS Access From Non System Account"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Cobalt Strike Default Service Creation Usage, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, WMI Persistence Command Line Event Consumer, StoneDrill Service Install, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, APT29 Fake Google Update Service Install, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Chafer (APT 39) Activity, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Cobalt Strike Default Service Creation Usage, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, WMI Persistence Command Line Event Consumer, StoneDrill Service Install, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, APT29 Fake Google Update Service Install, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Chafer (APT 39) Activity, Taskhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Windows Suspicious Service Creation, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Metasploit PSExec Service Creation, Usage Of Procdump With Common Arguments, Credential Dumping Tools Service Execution, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Suspicious DNS Child Process, Suspicious PsExec Execution, Smbexec.py Service Installation, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Correlation Impacket Smbexec, Taskhost Wrong Parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Python Opening Ports, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Python Opening Ports, Suspicious Driver Loaded, TrustedInstaller Impersonation, Microsoft Defender Antivirus Configuration Changed, FLTMC command usage, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MOFComp Execution, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, IcedID Execution Using Excel, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Dynwrapx Module Loading, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, Windows Defender Deactivation Using PowerShell Script, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, TrustedInstaller Impersonation, Microsoft Defender Antivirus Configuration Changed, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy, Audit CVE Event"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets, System Network Connections Discovery, Adidnsdump Enumeration, Remote System Discovery Via Telnet"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, NetNTLM Downgrade Attack, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, Ursnif Registry Key, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, OceanLotus Registry Activity, DNS ServerLevelPluginDll Installation, Suspicious Desktopimgdownldr Execution, Disable Security Events Logging Adding Reg Key MiniNt, Remote Registry Management Using Reg Utility, Disabling SmartScreen Via Registry, Disable Workstation Lock, Chafer (APT 39) Activity, RDP Port Change Using Powershell, Wdigest Enable UseLogonCredential, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Password Dumper Activity On LSASS, Unsigned Image Loaded Into LSASS Process, Mimikatz LSASS Memory Access, Credential Dump Tools Related Files, Credential Dumping-Tools Common Named Pipes, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, LSASS Memory Dump, Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper, Lsass Access Through WinRM, Windows Credential Editor Registry Key, LSASS Memory Dump File Creation, Load Of dbghelp/dbgcore DLL From Suspicious Process, Suspicious CommandLine Lsassy Pattern, Credential Dumping By LaZagne, LSASS Access From Non System Account"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Suspicious Scripting In A WMI Consumer, WMI Event Subscription, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added to Local Administrators, Account Tampering - Suspicious Failed Logon Reasons, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Suspicious SAM Dump, Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Credential Dumping-Tools Common Named Pipes, Copying Browser Files With Credentials, SAM Registry Hive Handle Request, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, RedMimicry Winnti Playbook Dropped File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, WMI Fingerprint Commands, WMImplant Hack Tool, WMI DLL Loaded Via Office"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line, Kerberos Pre-Auth Disabled in UAC, Rubeus Register New Logon Process, Possible Replay Attack, Suspicious Kerberos Ticket, Suspicious Outbound Kerberos Connection, Suspicious TGS requests (Kerberoasting)"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Suspicious Certificate Request-adcs Abuse"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, Lateral Movement Remote Named Pipe, Cobalt Strike Default Service Creation Usage, RDP Port Change Using Powershell, RDP Login From Localhost, MMC20 Lateral Movement, Remote Service Activity Via SVCCTL Named Pipe, Denied Access To Remote Desktop, Lsass Access Through WinRM, Correlation Impacket Smbexec, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, Reconnaissance Commands Activities, PowerView commandlets 2, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 1, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dump Tools Related Files, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Discovery Commands Correlation, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line, Web Application Launching Shell, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Screenconnect Remote Execution, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Netscan Share Access Artefact, Network Share Discovery"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious DLL Loaded Via Office Applications, Suspicious Windows Script Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, WMI DLL Loaded Via Office, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Narrator Feedback-Hub Persistence, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Registry Key Used By Some Old Agent Tesla Samples, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Narrator Feedback-Hub Persistence, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Registry Key Used By Some Old Agent Tesla Samples, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Phosphorus Domain Controller Discovery, Trickbot Malware Activity"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, SCM Database Handle Failure, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Remote Registry Management Using Reg Utility, Putty Sessions Listing, SysKey Registry Keys Access"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Lateral Movement Remote Named Pipe, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Correlation Impacket Smbexec, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, Remote Enumeration Of Lateral Movement Groups"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, Discovery Commands Correlation, AD User Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, High Privileges Network Share Removal, Eventlog Cleared, Cookies Deletion, Erase Shell History, Secure Deletion With SDelete, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Secure Deletion With SDelete"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Denied Access To Remote Desktop, RDP Login From Localhost"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test, Microsoft Office Startup Add-In"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, AD Object WriteDAC Access, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, COM Hijack Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Credentials Extraction, Linux Suspicious Search, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: Successful Brute Force Login From Internet, CVE 2022-1292"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
index e92e97004b..659eed9daa 100644
--- a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Listing Systemd Environment, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Reconnaissance Commands Activities, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Sysprep On AppData Folder, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious Taskkill Command, CMSTP Execution, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Fingerprint Commands, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Discovery Commands Correlation, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Mimikatz Basic Commands, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, Shell PID Injection, COM Hijack Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Mimikatz Basic Commands, Add User to Privileged Group"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9844ea0a-de7f-45d4-9a9b-b07651f0630e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9844ea0a-de7f-45d4-9a9b-b07651f0630e_do_not_edit_manually.json
index bc18715993..43f0f278ee 100644
--- a/_shared_content/operations_center/detection/generated/attack_9844ea0a-de7f-45d4-9a9b-b07651f0630e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9844ea0a-de7f-45d4-9a9b-b07651f0630e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Vision One Workbench Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Cmd.exe Command Line, Malicious PowerShell Keywords, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, Linux Bash Reverse Shell, WMIC Uninstall Product, Exploiting SetupComplete.cmd CVE-2019-1378, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, PowerShell Credential Prompt, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Malicious PowerShell Keywords, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell Credential Prompt, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Powershell AMSI Bypass, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Defender Deactivation Using PowerShell Script, Netsh Allowed Python Program, Disabled IE Security Features, TrustedInstaller Impersonation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Control Panel Items, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Windows Defender Deactivation Using PowerShell Script, Disabled IE Security Features, TrustedInstaller Impersonation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, NetNTLM Downgrade Attack, RedMimicry Winnti Playbook Registry Manipulation, Disable Workstation Lock, Blue Mockingbird Malware, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, RDP Port Change Using Powershell, FlowCloud Malware, LanManServer Registry Modify, Ursnif Registry Key"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, Discovery Commands Correlation, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, NetNTLM Downgrade Attack, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, Powershell Winlogon Helper DLL, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass via Event Viewer, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Listing Systemd Environment, Shadow Copies, WMI Fingerprint Commands"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Pandemic Windows Implant, Rclone Process, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Vision One Workbench Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, Socat Reverse Shell Detection, FromBase64String Command Line, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, PowerShell Credential Prompt, Linux Bash Reverse Shell, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, PowerShell NTFS Alternate Data Stream, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, PowerShell Malicious PowerShell Commandlets, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Commands Invocation, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Python HTTP Server, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, PowerShell Credential Prompt, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell NTFS Alternate Data Stream, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Control Panel Items, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Suspicious Taskkill Command, Equation Group DLL_U Load"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Windows Defender Deactivation Using PowerShell Script, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Disabling SmartScreen Via Registry, Disable Workstation Lock, DNS ServerLevelPluginDll Installation, RDP Port Change Using Powershell, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, Ursnif Registry Key, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft IIS Module Installation, PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, WMI Fingerprint Commands, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, PowerView commandlets 1, Discovery Commands Correlation, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Mimikatz Basic Commands, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, COM Hijack Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Shadow Copies, Listing Systemd Environment, WMI Fingerprint Commands"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Rclone Process, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
index ef8dd21d15..cd10e53529 100644
--- a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Darktrace Threat Visualizer", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Threat Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Activity, Darktrace Threat Visualizer Model Breach Suspicious Activity, Darktrace Threat Visualizer Threat Critical Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Threat Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Activity, Darktrace Threat Visualizer Model Breach Suspicious Activity, Darktrace Threat Visualizer Threat Critical Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Darktrace Threat Visualizer", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Critical Activity, Darktrace Threat Visualizer Threat Critical Alert, Darktrace Threat Visualizer Model Breach Suspicious Activity, Darktrace Threat Visualizer Threat Suspicious Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Critical Activity, Darktrace Threat Visualizer Threat Critical Alert, Darktrace Threat Visualizer Model Breach Suspicious Activity, Darktrace Threat Visualizer Threat Suspicious Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
index 246c14b743..b82a4572f7 100644
--- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
index 33b24c7481..a50198f9e2 100644
--- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Web Application Launching Shell, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, Suspicious File Name, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Suspicious Outlook Child Process"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, FLTMC command usage, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, IcedID Execution Using Excel, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, ZIP LNK Infection Chain, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, ISO LNK Infection Chain, IcedID Execution Using Excel, Cobalt Strike Default Beacons Names, Suspicious Outlook Child Process"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, NetNTLM Downgrade Attack, Blue Mockingbird Malware, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, RDP Sensitive Settings Changed, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Ursnif Registry Key"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Mshta Command From A Scheduled Task, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Mshta Command From A Scheduled Task, Csrss Child Found, New Service Creation, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Rare Lsass Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Mshta Command From A Scheduled Task, Csrss Child Found, New Service Creation, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Rare Lsass Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Rare Lsass Child Found, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Suspicious DNS Child Process, PsExec Process, Rare Logonui Child Found, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Exfiltration Via Pscp, Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Rare Lsass Child Found, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Suspicious DNS Child Process, Rare Logonui Child Found, PsExec Process, SolarWinds Wrong Child Process, Windows Update LolBins, Mshta Command From A Scheduled Task, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Credential Editor Registry Key, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Copying Browser Files With Credentials, HackTools Suspicious Names, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Listing Systemd Environment, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Web Application Launching Shell, Lazarus Loaders, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Shell PID Injection, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass via Event Viewer, Reconnaissance Commands Activities, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution, Trickbot Malware Activity, Suspicious Taskkill Command, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Web Application Launching Shell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, QakBot Process Creation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious File Name, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Creating Suspicious File, PowerShell Commands Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, FLTMC command usage, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MOFComp Execution, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, IcedID Execution Using Excel, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, ZIP LNK Infection Chain, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, HTA Infection Chains, ISO LNK Infection Chain, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Component Object Model Hijacking, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, RDP Sensitive Settings Changed, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchprotocolhost Child Found, Csrss Child Found, OneNote Suspicious Children Process, Rare Logonui Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchprotocolhost Child Found, Csrss Child Found, OneNote Suspicious Children Process, Rare Logonui Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process, Searchprotocolhost Child Found, Csrss Child Found, OneNote Suspicious Children Process, Rare Logonui Child Found, Suspicious DNS Child Process, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Windows Update LolBins, Exfiltration Via Pscp, PsExec Process, Searchprotocolhost Child Found, Csrss Child Found, OneNote Suspicious Children Process, Rare Logonui Child Found, Suspicious DNS Child Process, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, WMI Fingerprint Commands, WMImplant Hack Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, NetNTLM Downgrade Attack, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Windows Credential Editor Registry Key, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Credential Dump Tools Related Files, Mimikatz Basic Commands, Cmdkey Cached Credentials Recon, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Discovery Commands Correlation, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line, Web Application Launching Shell, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Screenconnect Remote Execution, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Powershell Winlogon Helper DLL, Microsoft Office Macro Security Registry Modifications, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Trickbot Malware Activity"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, Shell PID Injection, COM Hijack Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
index 1338344dd0..00345d100f 100644
--- a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Suspicious File Name, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Malspam Execution Registering Malicious DLL, Python Offensive Tools and Packages"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), ZIP LNK Infection Chain, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Package Manager Alteration, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, Disable Workstation Lock, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, RDP Sensitive Settings Changed, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, LanManServer Registry Modify, Ursnif Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Cmdkey Cached Credentials Recon, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Copying Browser Files With Credentials, HackTools Suspicious Names, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Listing Systemd Environment, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, Powershell Winlogon Helper DLL, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Cookies Deletion, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Elise Backdoor, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, Suspicious File Name, Microsoft Office Creating Suspicious File, PowerShell Commands Invocation, Sysprep On AppData Folder, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, HTA Infection Chains, Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), ISO LNK Infection Chain, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity)"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, Ursnif Registry Key, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft IIS Module Installation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMI Fingerprint Commands, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Windows Credential Editor Registry Key, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Credential Dump Tools Related Files, Mimikatz Basic Commands, Cmdkey Cached Credentials Recon, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Discovery Commands Correlation, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, Cookies Deletion"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, Shell PID Injection, COM Hijack Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Mimikatz Basic Commands, Add User to Privileged Group"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
index f35cdc97a3..c96beda09b 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Claroty xDome Network Threat Detection Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Claroty xDome Network Threat Detection Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
index d168327645..972e0f6f7a 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Cybereason EDR Alert, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, Cybereason EDR Malware Detection, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Cybereason EDR Alert, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Socat Relaying Socket, Cybereason EDR Malware Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Cybereason EDR Alert, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process, PsExec Process, Cybereason EDR Malware Detection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, WCE wceaux.dll Creation, HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, HTA Infection Chains, ISO LNK Infection Chain, Cybereason EDR Malware Detection, Cybereason EDR Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Microsoft Office Creating Suspicious File, Cybereason EDR Malware Detection, Cybereason EDR Alert, Socat Relaying Socket"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process, Cybereason EDR Malware Detection, OneNote Suspicious Children Process, Cybereason EDR Alert"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Process Trace Alteration, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
index 3f84bc4dde..e3bdab011d 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
index 39de49f3b0..6e98740d7d 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
index fbd3c4a1bc..e74551e77c 100644
--- a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious Cmd.exe Command Line, Login Brute-Force Successful On SentinelOne EDR Management Console, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Linux Bash Reverse Shell, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Login Brute-Force On Firewall"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), LokiBot Default C2 URL, Sliver DNS Beaconing, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default GET beaconing, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Python HTTP Server, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner, Internet Scanner Target, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Login Brute-Force On Firewall, Account Added To A Security Enabled Group"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Debugging Software Deactivation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Control Panel Items, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Debugging Software Deactivation, Disabled IE Security Features, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, NjRat Registry Changes, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PrinterPorts Creation (CVE-2020-1048), Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Keywords, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Listing Systemd Environment, WMI Fingerprint Commands"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Sekoia.io EICAR Detection, Invoke-TheHash Commandlets, Socat Reverse Shell Detection, FromBase64String Command Line, Lazarus Loaders, Socat Relaying Socket, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Linux Bash Reverse Shell, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, PowerShell Commands Invocation, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Login Brute-Force On Firewall"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Python HTTP Server, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, DNS Exfiltration and Tunneling Tools Execution, Cobalt Strike HTTP Default GET beaconing, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Cryptomining, Potential LokiBot User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Python HTTP Server, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious certutil command"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner Target, Internet Scanner, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Netsh Port Forwarding, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Control Panel Items, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Suspicious Taskkill Command, Equation Group DLL_U Load"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Debugging Software Deactivation, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, WMI Fingerprint Commands, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, PowerView commandlets 1, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, FromBase64String Command Line, PowerShell Invoke Expression With Registry, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Mimikatz Basic Commands, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, Listing Systemd Environment, WMI Fingerprint Commands"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
index c9822e6fa6..1de515c1a5 100644
--- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
index 8fccb6ae0a..e4ca1fc263 100644
--- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal, Login Brute-Force Successful On Jumpcloud Workstation"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal, Login Brute-Force Successful On Jumpcloud Workstation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Workstation, Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Workstation, Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
index 5c26995c3e..2b8b80344b 100644
--- a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Olfeo secure web gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Olfeo secure web gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.json
index 9e1b7271ed..9a63ab08e0 100644
--- a/_shared_content/operations_center/detection/generated/attack_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OCSF [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Web Application Launching Shell, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Threat Detected, Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, Suspicious File Name, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Suspicious Outlook Child Process"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, LokiBot Default C2 URL, Sliver DNS Beaconing, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike DNS Beaconing, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Python HTTP Server, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Suspicious URL Requested By Curl Or Wget Commands, Impacket Addcomputer, Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, RDP Configuration File From Mail Process, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Download Files From Suspicious TLDs, Suspicious Outlook Child Process"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, RDP Configuration File From Mail Process"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, FLTMC command usage, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Tampering Detected, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, IcedID Execution Using Excel, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Mshta Command From A Scheduled Task, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Usage Of Sysinternals Tools, Suspicious DNS Child Process, PsExec Process, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Exfiltration Via Pscp, Microsoft Defender Antivirus Threat Detected, OneNote Suspicious Children Process, Usage Of Sysinternals Tools, Suspicious DNS Child Process, PsExec Process, SolarWinds Wrong Child Process, Windows Update LolBins, Mshta Command From A Scheduled Task, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Web Application Launching Shell, Lazarus Loaders, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Active Directory Data Export Using Csvde, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OCSF [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution, Trickbot Malware Activity, Suspicious Taskkill Command, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Web Application Launching Shell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, QakBot Process Creation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious File Name, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Creating Suspicious File, PowerShell Commands Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Threat Detected, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater, Detect requests to Konni C2 servers, Python HTTP Server, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, DNS Exfiltration and Tunneling Tools Execution, Cobalt Strike DNS Beaconing, Suspicious Windows DNS Queries, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Cryptomining, Potential LokiBot User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious URL Requested By Curl Or Wget Commands, Net.exe User Account Creation, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Python HTTP Server, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Email Attachment Received, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, RDP Configuration File From Mail Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Microsoft IIS Module Installation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Suspicious certutil command, Rclone Process, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, FLTMC command usage, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MOFComp Execution, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, IcedID Execution Using Excel, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process, New Service Creation, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process, New Service Creation, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, PsExec Process, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Windows Update LolBins, Exfiltration Via Pscp, PsExec Process, OneNote Suspicious Children Process, Microsoft Defender Antivirus Threat Detected, Suspicious DNS Child Process, SolarWinds Wrong Child Process, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, WMImplant Hack Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Mimikatz Basic Commands, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line, Web Application Launching Shell, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Screenconnect Remote Execution, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Trickbot Malware Activity"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
index 7ca49ca889..9da92b6571 100644
--- a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
index 20cf7a83e6..4393dd8956 100644
--- a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Key Vault [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Key Vault [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
index f5b19ed20e..c6663582cc 100644
--- a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, FreeRADIUS Failed Authentication, Login Brute-Force On FreeRadius"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On FreeRadius"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, FreeRADIUS Failed Authentication, Login Brute-Force On FreeRadius"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On FreeRadius"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
index 8e18f7ff32..ef2a5ce90b 100644
--- a/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Juniper Networks Switches [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Juniper Networks Switches [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
index 2b708b5e1d..32dbe9bd68 100644
--- a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
index 705d6307d3..eb48b70a90 100644
--- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, Suspicious File Name, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Aspnet Compiler, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Powershell Web Request, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues, Trend Micro Cloud One Medium Intrusion, Trend Micro Cloud One Low Intrusion, Trend Micro Cloud One High Intrusion"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Active Directory Data Export Using Csvde, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, Suspicious File Name, Microsoft Office Creating Suspicious File, PowerShell Commands Invocation, Sysprep On AppData Folder, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues, Trend Micro Cloud One Medium Intrusion, Trend Micro Cloud One Low Intrusion, Trend Micro Cloud One High Intrusion"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Suspicious certutil command, Rclone Process, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Mimikatz Basic Commands, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Mimikatz Basic Commands, Add User to Privileged Group"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
index f3ac293206..9c0f5d892a 100644
--- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
index 8c85623442..d6f8a7b9a6 100644
--- a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Trellix Network Security Threat Notified, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Trellix Network Security Threat Blocked, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, WCE wceaux.dll Creation, HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Trellix Network Security Threat Blocked, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Trellix Network Security Threat Notified, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Process Trace Alteration, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
index 936daf757e..5ba7b6514c 100644
--- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Gatewatcher AionIQ v102", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Cobalt Strike DNS Beaconing, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Covenant Default HTTP Beaconing, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Gatewatcher AionIQ Network Alert, SEKOIA.IO Intelligence Feed, Gatewatcher AionIQ Malware Alert"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Gatewatcher AionIQ v102", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner, WAF Correlation Block actions"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Nimbo-C2 User Agent, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Gatewatcher AionIQ Network Alert, Gatewatcher AionIQ Malware Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
index ac05a712a1..21cdb40876 100644
--- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
index 0ce63d0e22..760e22223d 100644
--- a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
index 399fa0a632..9cd60ceb7f 100644
--- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Web Application Launching Shell, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Threat Detected, Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Malicious PowerShell Keywords, Socat Relaying Socket, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, Linux Bash Reverse Shell, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Interactive Terminal Spawned via Python, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Suspicious File Name, PowerShell Credential Prompt, Elise Backdoor, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Aspnet Compiler, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Powershell Web Request, Suspicious Outlook Child Process, Python Offensive Tools and Packages"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Sliver DNS Beaconing, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Suspicious Outlook Child Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Malicious PowerShell Keywords, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell NTFS Alternate Data Stream, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, PowerShell Credential Prompt, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, PowerShell Malicious PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Suspicious Parent, Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, NetNTLM Downgrade Attack, Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, Package Manager Alteration, SELinux Disabling, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Defender Deactivation Using PowerShell Script, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, FLTMC command usage, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Tampering Detected, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, IcedID Execution Using Excel, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, NetNTLM Downgrade Attack, Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Package Manager Alteration, SELinux Disabling, Windows Defender Deactivation Using PowerShell Script, Netsh Port Opening, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, TrustedInstaller Impersonation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, NetNTLM Downgrade Attack, RedMimicry Winnti Playbook Registry Manipulation, Disable Workstation Lock, Blue Mockingbird Malware, Chafer (APT 39) Activity, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, RDP Port Change Using Powershell, FlowCloud Malware, LanManServer Registry Modify, Ursnif Registry Key"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, User Added to Local Administrators, Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Mshta Command From A Scheduled Task, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Chafer (APT 39) Activity, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, New Service Creation, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Chafer (APT 39) Activity, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wininit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Smbexec.py Service Installation, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Exfiltration Via Pscp, Wininit Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Microsoft Defender Antivirus Threat Detected, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Malicious Service Installations, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Winrshost Wrong Parent, Windows Update LolBins, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Smbexec.py Service Installation, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Smbexec.py Service Installation, RDP Login From Localhost, MMC20 Lateral Movement, MMC Spawning Windows Shell, RDP Port Change Using Powershell"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Windows Credential Editor Registry Key, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs, Malicious Service Installations, Cmdkey Cached Credentials Recon, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Copying Browser Files With Credentials, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Web Application Launching Shell, Lazarus Loaders, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, Powershell Winlogon Helper DLL, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character, Unsigned Driver Loaded From Suspicious Location"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, User Added to Local Administrators, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, Cookies Deletion, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line, Rubeus Register New Logon Process"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, Suspicious Double Extension"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, CVE-2021-4034 Polkit's pkexec, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Aspnet Compiler, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Python Offensive Tools and Packages, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution, Trickbot Malware Activity, Suspicious Taskkill Command, Microsoft Office Spawning Script, Suspicious Outlook Child Process, PowerShell Credential Prompt, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell NTFS Alternate Data Stream, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Web Application Launching Shell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, QakBot Process Creation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious File Name, PowerShell Malicious PowerShell Commandlets, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Creating Suspicious File, PowerShell Commands Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Threat Detected, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner, WAF Correlation Block actions"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Chafer (APT 39) Activity, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Antivirus Relevant File Paths Alerts, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Microsoft Defender Antivirus Threat Detected, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Malicious PowerShell Keywords, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Screenconnect Remote Execution, Suspicious Taskkill Command, PowerShell Credential Prompt, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell NTFS Alternate Data Stream, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Chafer (APT 39) Activity, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, TrustedInstaller Impersonation, FLTMC command usage, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MOFComp Execution, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, IcedID Execution Using Excel, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Disabled Service, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, Windows Defender Deactivation Using PowerShell Script, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, TrustedInstaller Impersonation, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Disabling SmartScreen Via Registry, Disable Workstation Lock, DNS ServerLevelPluginDll Installation, RDP Port Change Using Powershell, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, Ursnif Registry Key, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Suspicious Desktopimgdownldr Execution, Chafer (APT 39) Activity, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, User Added to Local Administrators, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Chafer (APT 39) Activity, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Chafer (APT 39) Activity, Taskhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Suspicious DNS Child Process, Smbexec.py Service Installation, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Lsass Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Malicious Service Installations, Winrshost Wrong Parent, Suspicious DNS Child Process, Smbexec.py Service Installation, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Suspicious Commands From MS SQL Server Shell, Csrss Child Found, OneNote Suspicious Children Process, Microsoft Defender Antivirus Threat Detected, Taskhost Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Creation, PowerCat Function Loading, Microsoft IIS Module Installation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, WMImplant Hack Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, RDP Port Change Using Powershell, MMC20 Lateral Movement, RDP Login From Localhost, Smbexec.py Service Installation"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, NetNTLM Downgrade Attack, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Windows Credential Editor Registry Key, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Malicious Service Installations, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Credential Dump Tools Related Files, Mimikatz Basic Commands, Cmdkey Cached Credentials Recon, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line, Web Application Launching Shell, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Screenconnect Remote Execution, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Microsoft Office Macro Security Registry Modifications, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Phosphorus Domain Controller Discovery, Trickbot Malware Activity"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Unsigned Driver Loaded From Suspicious Location, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, User Added to Local Administrators, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History, Cookies Deletion, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1, Ntfsinfo Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1614.001", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1614", "score": 100, "comment": "Rules: Language Discovery"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
index 4265e2a767..0b1266db63 100644
--- a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
index ef99ad08ef..4bbf096afc 100644
--- a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, TrevorC2 HTTP Communication"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
index c2519b0995..c6bc8d8a50 100644
--- a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json
index fe228f9ff3..802752cc1d 100644
--- a/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cyberwatch Detection", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Cyberwatch Detection Critical Vulnerability"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Cyberwatch Detection Critical Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cyberwatch Detection", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Cyberwatch Detection Critical Vulnerability"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Cyberwatch Detection Critical Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
index 1ff656a960..804eecf681 100644
--- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Microsoft 365 Sign-in With No User Agent, Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Microsoft 365 Sign-in With No User Agent, Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Suspicious File Name, Socat Relaying Socket, Aspnet Compiler"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Microsoft 365 (Office 365) Safelinks Disabled, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MCAS New Country, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) MCAS Risky IP, Possible Malicious File Double Extension, RDP Configuration File From Mail Process, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 Security and Compliance Center High Severity Alert, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 Security and Compliance Center Medium Severity Alert, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) Safelinks Disabled, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed, HTA Infection Chains, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) MCAS Risky IP, ISO LNK Infection Chain, ZIP LNK Infection Chain, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Email Attachment Received, RDP Configuration File From Mail Process, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Suspicious Double Extension"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Suspicious Download Links From Legitimate Services, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Entra ID Consent Attempt to Suspicious OAuth Application, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Microsoft 365 Authenticated Activity From Tor IP Address"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Microsoft 365 Authenticated Activity From Tor IP Address"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, RDP Configuration File From Mail Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA), Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Suspicious File Name, Sekoia.io EICAR Detection, Aspnet Compiler, Socat Relaying Socket"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 Security and Compliance Center Medium Severity Alert, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Suspicious Email Attachment Received, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 Security and Compliance Center High Severity Alert, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Mass Download By A Single User, Possible Malicious File Double Extension, Microsoft Defender for Office 365 Medium Severity AIR Alert, Suspicious Double Extension, Microsoft Defender for Office 365 High Severity AIR Alert, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Suspicious Download Links From Legitimate Services, RDP Configuration File From Mail Process, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MCAS Inbox Hiding, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, ZIP LNK Infection Chain, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) MCAS Repeated Delete, HTA Infection Chains, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Filter Rule Deletion, ISO LNK Infection Chain, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Suspicious Email Attachment Received, Microsoft Defender for Office 365 Medium Severity AIR Alert, RDP Configuration File From Mail Process, Suspicious Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Suspicious Download Links From Legitimate Services, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address, Entra ID Consent Attempt to Suspicious OAuth Application, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, Microsoft 365 Authenticated Activity From Tor IP Address"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, Microsoft 365 Authenticated Activity From Tor IP Address"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification, Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification, Domain Trust Created Or Removed"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Email Attachment Received"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
index 41bd35302a..dbff3e58a2 100644
--- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
index 746a5f84bb..fb2b924a4d 100644
--- a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d11df984-840d-4c29-a6dc-b9195c3a24e3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d11df984-840d-4c29-a6dc-b9195c3a24e3_do_not_edit_manually.json
index 176c5f55cc..6ed99abd82 100644
--- a/_shared_content/operations_center/detection/generated/attack_d11df984-840d-4c29-a6dc-b9195c3a24e3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d11df984-840d-4c29-a6dc-b9195c3a24e3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Bitdefender GravityZone [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Bitdefender GravityZone [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
index 0225c868f7..9be0d41f1e 100644
--- a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
index 8ed06ed3f4..30ed862269 100644
--- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
index 48bfb6b69f..f9d481f580 100644
--- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail S3 Bucket Replication, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Failed User Creation, Password Change On Directory Service Restore Mode (DSRM) Account, AWS CloudTrail Route 53 Domain Transfer Lock Disabled"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail Disable MFA, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Important Change, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail Disable MFA, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Important Change, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail IAM ChangePassword, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, AWS CloudTrail EC2 Startup Script Changed, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 CreateKeyPair"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 CreateKeyPair"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail S3 Bucket Replication, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1537", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, AWS Persistence By Creating KeyPair And SecurityGroup"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1580", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1619", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Policy Changed, AWS CloudTrail EC2 CreateVPC, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail S3 Bucket Replication, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Password Policy Updated"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Policy Changed, Password Change On Directory Service Restore Mode (DSRM) Account, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Password Policy Updated"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail Disable MFA, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM ChangePassword, AWS CloudTrail Important Change, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM DeleteSAMLProvider"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail IAM DeleteOpenIDConnectProvider, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail Important Change, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail Disable MFA"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, AWS CloudTrail EC2 Startup Script Changed, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, AWS CloudTrail KMS CMK Key Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail S3 Bucket Replication, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1537", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup, User Account Created"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, Backup Catalog Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1580", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1619", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
index 0f0edbc672..f364d482c6 100644
--- a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Sliver DNS Beaconing, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
index 570d84c512..e7ffdc64dc 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
index 059df7e7c2..26a590b466 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
index a38849e0d0..369d796815 100644
--- a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Sliver DNS Beaconing, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On WatchGuard Firebox"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On WatchGuard Firebox"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On WatchGuard Firebox"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On WatchGuard Firebox"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
index 313d8310aa..90eba32d43 100644
--- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions, WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions, WAF Block Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected, WAF Block Rule"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json
index 88613bf9ba..bb12580191 100644
--- a/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Veeam Backup", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Veeam Backup", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
index 7d5d844235..1f4c8fb0be 100644
--- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Zscaler ZIA Suspicious Threat, ISO LNK Infection Chain, Download Files From Suspicious TLDs, Zscaler ZIA Malicious Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Zscaler ZIA Suspicious Threat, ISO LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Zscaler ZIA Malicious Threat"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), LokiBot Default C2 URL, Sliver DNS Beaconing, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike DNS Beaconing, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default GET beaconing, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Potential Lemon Duck User-Agent, Dynamic DNS Contacted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Zscaler ZIA Malicious Threat, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain, Zscaler ZIA Suspicious Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Zscaler ZIA Malicious Threat, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain, Zscaler ZIA Suspicious Threat"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Cobalt Strike DNS Beaconing, Cobalt Strike HTTP Default GET beaconing, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Cryptomining, Potential LokiBot User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
index d95814eb5f..c04b8ef637 100644
--- a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Systancia Cleanroom [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Systancia Cleanroom [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
index 7dc1aaadf4..025ca685f1 100644
--- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Authentication Impossible Travel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit, Authentication Impossible Travel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netskope Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, WCE wceaux.dll Creation, HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Authentication Impossible Travel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel, Netskope Admin Audit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Process Trace Alteration, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
index d3de81dfc8..7bc75329a3 100644
--- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
index 88e0bce88c..444b697447 100644
--- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Suspicious Email Attachment Received, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Spearphishing (W2 Fraud) Detected By Vade For M365, Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Scam Detected By Vade For M365, Spam Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Malware Detected By Vade For M365, Phishing Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365 And Not Blocked, Spearphishing (CEO Fraud) Detected By Vade For M365"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Spam Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Spam Detected By Vade For M365 And Not Blocked, Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Spearphishing (CEO Fraud) Detected By Vade For M365, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
index 4bf221adde..cb826e970e 100644
--- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta User Account Deactivated, Okta Application modified, Okta Admin Privilege Granted, Okta User Impersonation Access, Okta Application deleted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Okta User Logged In Multiple Applications, Okta User Logged In From Multiple Countries"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta Network Zone Deactivated, Okta Network Zone Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Security Threat Configuration Updated, Okta Network Zone Modified, Okta Blacklist Manipulations, Okta Network Zone Deleted, Okta Network Zone Deactivated, Okta MFA Disabled"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Suspicious Activity Reported, Okta Many Passwords Reset Attempt"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Okta Phishing Detection with FastPass Origin Check"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Okta Security Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Admin Privilege Granted, Okta User Account Deactivated, Okta Application modified, Okta User Impersonation Access, Okta Application deleted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Okta User Logged In Multiple Applications, Okta User Logged In From Multiple Countries"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Modified, Okta Network Zone Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta MFA Disabled, Okta Blacklist Manipulations, Okta Network Zone Deactivated, Okta Network Zone Modified, Okta Security Threat Configuration Updated"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Suspicious Activity Reported, Okta Many Passwords Reset Attempt, Okta Unauthorized Access to App"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json
index f43e4b6b7c..c9ddb520bf 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenVPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenVPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
index 772e833b78..28093da1ae 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Creating Suspicious File, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, MalwareBytes Uninstallation, Suspicious File Name, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Malspam Execution Registering Malicious DLL, Python Offensive Tools and Packages"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, ETW Tampering, SELinux Disabling, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, SELinux Disabling, Netsh Port Opening, Disabled IE Security Features, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Dism Disabling Windows Defender, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Generic, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Wdigest Enable UseLogonCredential, Blue Mockingbird Malware, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Microsoft IIS Module Installation, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Service Call, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process, Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Phorpiex DriveMgr Command, Mustang Panda Dropper, MalwareBytes Uninstallation, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Active Directory Data Export Using Csvde, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Python Offensive Tools and Packages, PowerShell Malicious Nishang PowerShell Commandlets, Elise Backdoor, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, QakBot Process Creation, Malspam Execution Registering Malicious DLL, Suspicious File Name, Microsoft Office Creating Suspicious File, PowerShell Commands Invocation, Sysprep On AppData Folder, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Windows Firewall Changes, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, SELinux Disabling, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Disabled Service, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft IIS Module Installation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, WMImplant Hack Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Credential Dump Tools Related Files, Copying Browser Files With Credentials, Mimikatz Basic Commands, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Desktopimgdownldr Execution, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Elise Backdoor, Suspicious Cmd.exe Command Line, Lazarus Loaders, WMIC Uninstall Product, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Microsoft Office Macro Security Registry Modifications, Malware Persistence Registry Key, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Njrat Registry Values, Microsoft Office Macro Security Registry Modifications, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Scanning and Discovery, PowerView commandlets 1, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Compression Followed By Suppression, High Privileges Network Share Removal, Erase Shell History"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ea265b9d-fb48-4e92-9c26-dcfbf937b630_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ea265b9d-fb48-4e92-9c26-dcfbf937b630_do_not_edit_manually.json
index a167bf8da4..ebfb496f1d 100644
--- a/_shared_content/operations_center/detection/generated/attack_ea265b9d-fb48-4e92-9c26-dcfbf937b630_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ea265b9d-fb48-4e92-9c26-dcfbf937b630_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto Prisma access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block Multiple Destinations, WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Internet Scanner Target, WAF Correlation Block Multiple Destinations, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Authentication Impossible Travel, Login Brute-Force On Firewall"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console, ISO LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel, Account Removed From A Security Enabled Group, Login Brute-Force On Firewall, Account Added To A Security Enabled Group"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, WCE wceaux.dll Creation, HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto Prisma access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block Multiple Destinations, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, WAF Correlation Block Multiple Destinations, Burp Suite Tool Detected, WAF Correlation Block actions, Internet Scanner Target"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Login Brute-Force On Firewall, Authentication Impossible Travel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Authentication Impossible Travel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Process Trace Alteration, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
index 409daf3c2a..f94c25f6c7 100644
--- a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
index 9d6a3a907b..44c6f6f72b 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Suspicious File Name, Socat Relaying Socket"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, ISO LNK Infection Chain, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Information Stealer Downloading Legitimate Third-Party DLLs, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, WCE wceaux.dll Creation, HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Suspicious File Name, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Socat Relaying Socket"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HTA Infection Chains, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Elevated Shell Launched By Browser"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Process Trace Alteration, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
index 660b1d40e1..a81fd9334a 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
index d29459c45c..c7b42b7e2f 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
index 321643f155..abf6aa8d6d 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
index 049fa991ad..f0251e0797 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
index 3107c28be1..dc8217c608 100644
--- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious File Name, Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
index 325cf4c8ca..c87ebb75f1 100644
--- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, Microsoft Office Spawning Script, Web Application Launching Shell, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious VBS Execution Parameter, Generic-reverse-shell-oneliner, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Threat Detected, Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious CodePage Switch with CHCP, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Elise Backdoor, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Windows Script Execution, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Mustang Panda Dropper, Sysprep On AppData Folder, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Suspicious Outlook Child Process"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding, TOR Usage"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Burp Suite Tool Detected, Internet Scanner Target"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Download Files From Suspicious TLDs, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Suspicious Outlook Child Process, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Stormshield Ses Critical Not Block, HTA Infection Chains, Winword Document Droppers, ISO LNK Infection Chain, Explorer Process Executing HTA File, Stormshield Ses Emergency Block, ZIP LNK Infection Chain, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Stormshield Ses Critical Block, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft IIS Module Installation, Antivirus Web Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner Target, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, System Network Connections Discovery, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Elevated Shell Launched By Browser, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allowed Python Program, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Netsh Allow Command, Disable Windows Defender Credential Guard, Windows Firewall Changes, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Malware Protection Engine Crash, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh Port Opening, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, FLTMC command usage, Netsh RDP Port Opening, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Tampering Detected, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Control Process, Empire Monkey Activity, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, CMSTP Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, IcedID Execution Using Excel, MOFComp Execution, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Control Panel Items, AccCheckConsole Executing Dll, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Disable Windows Defender Credential Guard, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Malware Protection Engine Crash, Netsh Port Opening, Disabled IE Security Features, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Services, WMIC Uninstall Product, MalwareBytes Uninstallation, Fail2ban Unban IP, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Dism Disabling Windows Defender, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Relaying Socket, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Wdigest Enable UseLogonCredential, NetNTLM Downgrade Attack, Blue Mockingbird Malware, Disable Workstation Lock, Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Disabling SmartScreen Via Registry, RDP Sensitive Settings Changed, Suspicious Desktopimgdownldr Execution, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, LanManServer Registry Modify, Ursnif Registry Key"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious PowerShell Keywords, PowerShell Download From URL, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Screenconnect Remote Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Bloodhound and Sharphound Tools Usage, Correlation Supicious Powershell Drop and Exec, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, FromBase64String Command Line, WMImplant Hack Tool, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, HTML Smuggling Suspicious Usage, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, COM Hijack Via Sdclt, Change Default File Association, Reconnaissance Commands Activities, Control Panel Items, Component Object Model Hijacking, WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhost Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Mshta Command From A Scheduled Task, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, New Service Creation, Logonui Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, New Service Creation, Logonui Wrong Parent, Gpscript Suspicious Parent, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Exfiltration Via Pscp, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Logonui Wrong Parent, Wsmprovhost Wrong Parent, Gpscript Suspicious Parent, Csrss Wrong Parent, Microsoft Defender Antivirus Threat Detected, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Searchprotocolhost Child Found, Rare Lsass Child Found, Spoolsv Wrong Parent, PsExec Process, Searchindexer Wrong Parent, Windows Update LolBins, Lsass Wrong Parent, Mshta Command From A Scheduled Task, Csrss Child Found, Smss Wrong Parent, SolarWinds Wrong Child Process, Svchost Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, OneNote Suspicious Children Process, Winlogon wrong parent, Rare Logonui Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMI Fingerprint Commands, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Listing Systemd Environment, Discovery Commands Correlation, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Process Memory Dump Using Comsvcs, NetNTLM Downgrade Attack, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Mustang Panda Dropper, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Web Application Launching Shell, Lazarus Loaders, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Microsoft Office Macro Security Registry Modifications, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Malware Persistence Registry Key, DLL Load via LSASS Registry Key, Powershell Winlogon Helper DLL"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 2, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Eventlog Cleared, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, FLTMC command usage, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Shell PID Injection, HTML Smuggling Suspicious Usage, COM Hijack Via Sdclt, UAC Bypass via Event Viewer, Reconnaissance Commands Activities, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, Socat Reverse Shell Detection, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Lazarus Loaders, Socat Relaying Socket, PowerShell Download From URL, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Elise Backdoor, Suspicious Cmd.exe Command Line, Screenconnect Remote Execution, Trickbot Malware Activity, Suspicious Taskkill Command, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Linux Bash Reverse Shell, Suspicious CodePage Switch with CHCP, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Mustang Panda Dropper, Interactive Terminal Spawned via Python, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Web Application Launching Shell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious VBS Execution Parameter, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Disabled Base64 Encoded, QakBot Process Creation, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell Commands Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Threat Detected, Powershell Web Request, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Sekoia.io EICAR Detection, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway, TOR Usage"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS), Elevated Shell Launched By Browser"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, RDP Configuration File From Mail Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Stormshield Ses Critical Not Block, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, ZIP LNK Infection Chain, Stormshield Ses Critical Block, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, HTA Infection Chains, IcedID Execution Using Excel, Stormshield Ses Emergency Block, Malspam Execution Registering Malicious DLL, ISO LNK Infection Chain, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Antivirus Web Shell Detection, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft IIS Module Installation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Detect requests to Konni C2 servers, Python HTTP Server, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Suspicious certutil command, Rclone Process, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, ACLight Discovering Privileged Accounts, System Network Connections Discovery, Adidnsdump Enumeration, Internet Scanner Target, Remote System Discovery Via Telnet"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh RDP Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Tampering Detected, Netsh Port Forwarding, Disabled IE Security Features, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Clear EventLogs Through CommandLine, ETW Tampering, Debugging Software Deactivation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh Port Opening, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, FLTMC command usage, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MOFComp Execution, Suspicious Control Process, Suspicious Taskkill Command, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, IcedID Execution Using Excel, xWizard Execution, Suspicious Mshta Execution, Control Panel Items, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, Suspicious Regasm Regsvcs Usage, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Equation Group DLL_U Load, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, MalwareBytes Uninstallation, NetNTLM Downgrade Attack, Suspicious PROCEXP152.sys File Created In Tmp, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Disabled IE Security Features, Netsh RDP Port Forwarding, Debugging Software Deactivation, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, WMIC Uninstall Product, Netsh Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Netsh RDP Port Opening, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable SecurityHealth, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool, Socat Relaying Socket"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, Disabling SmartScreen Via Registry, Disable Workstation Lock, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Suspicious New Printer Ports In Registry, LanManServer Registry Modify, Ursnif Registry Key, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, DHCP Callout DLL Installation, Suspicious Desktopimgdownldr Execution, Wdigest Enable UseLogonCredential, OceanLotus Registry Activity, FlowCloud Malware"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Invoke-TheHash Commandlets, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, PowerShell Download From URL, WMImplant Hack Tool, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Malicious Nishang PowerShell Commandlets, Correlation Supicious Powershell Drop and Exec, Screenconnect Remote Execution, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Downgrade Attack, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploited CVE-2020-10189 Zoho ManageEngine, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, WMI Event Subscription, COM Hijack Via Sdclt"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, New Service Creation, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchprotocolhost Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Lsass Wrong Parent, Rare Lsass Child Found, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Spoolsv Wrong Parent, Svchost Wrong Parent, Dllhost Wrong Parent, SolarWinds Wrong Child Process, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Lsass Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Wsmprovhost Wrong Parent, Smss Wrong Parent, PsExec Process, Searchprotocolhost Child Found, Csrss Wrong Parent, Taskhostw Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Mshta Command From A Scheduled Task, Searchprotocolhost Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Logonui Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, Microsoft Defender Antivirus Threat Detected, Taskhost Wrong Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, Blue Mockingbird Malware, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, WMI Fingerprint Commands, WMImplant Hack Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: Elevated Shell Launched By Browser"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation, Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Shadow Copies, WMI Fingerprint Commands, Discovery Commands Correlation, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NetNTLM Downgrade Attack, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Mimikatz Basic Commands, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Wdigest Enable UseLogonCredential"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line, Web Application Launching Shell, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Screenconnect Remote Execution, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Microsoft Office Macro Security Registry Modifications"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Svchost Modification, DLL Load via LSASS Registry Key, NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Njrat Registry Values, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Microsoft Office Macro Security Registry Modifications, Kernel Module Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, PowerView commandlets 2, PowerView commandlets 1, Trickbot Malware Activity"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery, Shell PID Injection, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Reconnaissance Commands Activities, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde, Discovery Commands Correlation, Shell PID Injection"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Share Discovery"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, High Privileges Network Share Removal, Eventlog Cleared, Erase Shell History, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, Shell PID Injection, COM Hijack Via Sdclt"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Mshta JavaScript Execution, Suspicious Mshta Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Linux Suspicious Search"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation, Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, RDP Configuration File From Mail Process, Suspicious Double Extension"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Ntfsinfo Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar, Compress Data for Exfiltration via Archiver"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious certutil command"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: RDP Configuration File From Mail Process"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
index 3c75a094ae..51323769bd 100644
--- a/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x EfficientIP SOLIDServer DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: EfficientIP SOLIDServer Suspicious Behavior"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x EfficientIP SOLIDServer DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: EfficientIP SOLIDServer Suspicious Behavior"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
index 79fe0e1bd3..ad58ed4896 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM iSeries [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Suspicious File Name, Socat Relaying Socket, Aspnet Compiler"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ZIP LNK Infection Chain, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Microsoft Office Creating Suspicious File, ZIP LNK Infection Chain, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, WCE wceaux.dll Creation, HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM iSeries [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, Suspicious File Name, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Aspnet Compiler, Socat Relaying Socket"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, ZIP LNK Infection Chain, HTA Infection Chains, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Process Trace Alteration, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Package Manager Alteration"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
index 8782e9e526..e66e03ed84 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Koadic MSHTML Command"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Cryptomining, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
index fecd283173..44d0a72f91 100644
--- a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, GitLab CVE-2021-22205, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Cryptomining, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-0604 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
index 8da0dedfe4..cf87b0a582 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
@@ -1,7 +1,10 @@
-Changelog _last update on 2024-12-11_
+Changelog _last update on 2024-12-12_
 
 ## Changelog
 
+### Sign-In Via Known AiTM Phishing Kit
+  - 12/12/2024 - minor - Update the selections to use a more appropriate ECS field. The rule now matches on more intakes. The name of the rule has been modified as well.
+    
 ### HackTools Suspicious Names
   - 11/12/2024 - minor - Added a default similarity based on host name and user name to avoid too many alerts.
     
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
index fd337e9e47..313d3e0bb4 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Rules catalog includes **981 built-in detection rules** ([_last update on 2024-12-11_](rules_changelog.md)).
+Rules catalog includes **981 built-in detection rules** ([_last update on 2024-12-12_](rules_changelog.md)).
 ## Reconnaissance
 **Gather Victim Identity Information**
 
@@ -10857,12 +10857,6 @@ Rules catalog includes **981 built-in detection rules** ([_last update on 2024-1
             
 **Multi-Factor Authentication Interception**
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-    
 ??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA)"
     
     Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit tracked by Sekoia.io as Mamba 2FA.
@@ -10922,6 +10916,16 @@ Rules catalog includes **981 built-in detection rules** ([_last update on 2024-1
     
         - 02/08/2024 - minor - Exclude an additionnal legitimate domain.
             
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+    
+    - **Changelog:**
+    
+        - 12/12/2024 - minor - Update the selections to use a more appropriate ECS field. The rule now matches on more intakes. The name of the rule has been modified as well.
+            
 **Forced Authentication**
 
 ??? abstract "Correlation Suspicious Authentication Coercer Behavior"
@@ -11135,12 +11139,6 @@ Rules catalog includes **981 built-in detection rules** ([_last update on 2024-1
     
     - **Effort:** intermediate
     
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-    
 ??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA)"
     
     Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit tracked by Sekoia.io as Mamba 2FA.
@@ -11204,6 +11202,16 @@ Rules catalog includes **981 built-in detection rules** ([_last update on 2024-1
     
         - 02/08/2024 - minor - Exclude an additionnal legitimate domain.
             
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+    
+    - **Changelog:**
+    
+        - 12/12/2024 - minor - Update the selections to use a more appropriate ECS field. The rule now matches on more intakes. The name of the rule has been modified as well.
+            
 **Steal or Forge Kerberos Tickets**
 
 ??? abstract "Kerberos Pre-Auth Disabled in UAC"
@@ -12280,12 +12288,6 @@ Rules catalog includes **981 built-in detection rules** ([_last update on 2024-1
     
     - **Effort:** intermediate
     
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-    
 ??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA)"
     
     Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit tracked by Sekoia.io as Mamba 2FA.
@@ -12349,6 +12351,16 @@ Rules catalog includes **981 built-in detection rules** ([_last update on 2024-1
     
         - 02/08/2024 - minor - Exclude an additionnal legitimate domain.
             
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+    
+    - **Changelog:**
+    
+        - 12/12/2024 - minor - Update the selections to use a more appropriate ECS field. The rule now matches on more intakes. The name of the rule has been modified as well.
+            
 **Archive Collected Data**
 
 ??? abstract "Compress Data for Exfiltration via Archiver"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.md
index 46de203e0c..277ab46bef 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.md
@@ -39,12 +39,6 @@ The following Sekoia.io built-in rules match the intake **Google Report**. This
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "Exfiltration Domain"
     
     Detects traffic toward a domain flagged as a possible exfiltration vector.
@@ -225,6 +219,12 @@ The following Sekoia.io built-in rules match the intake **Google Report**. This
     
     - **Effort:** master
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "Suspicious File Name"
     
     Detects suspicious file name possibly linked to malicious tool.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.md
index dd54bf2783..758616470d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.md
@@ -33,12 +33,6 @@ The following Sekoia.io built-in rules match the intake **Microsoft Entra ID / A
     
     - **Effort:** elementary
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA)"
     
     Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit tracked by Sekoia.io as Mamba 2FA.
@@ -237,6 +231,12 @@ The following Sekoia.io built-in rules match the intake **Microsoft Entra ID / A
     
     - **Effort:** master
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "TOR Usage Generic Rule"
     
     Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.md
index cb7687f058..aa8d7c4d4f 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.md
@@ -33,12 +33,6 @@ The following Sekoia.io built-in rules match the intake **Fortinet FortiWeb**. T
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "EvilProxy Phishing Domain"
     
     Detects subdomains potentially generated by the EvilProxy adversary-in-the-middle phishing platform. Inspect the other subdomains of the domain to identify the landing page, and determine if the user submitted credentials. This rule has a small percentage of false positives on legitimate domains.
@@ -117,6 +111,12 @@ The following Sekoia.io built-in rules match the intake **Fortinet FortiWeb**. T
     
     - **Effort:** master
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "TOR Usage Generic Rule"
     
     Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
index eb918e9e49..bbdfc399e2 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
@@ -555,12 +555,6 @@ The following Sekoia.io built-in rules match the intake **CrowdStrike Falcon**.
     
     - **Effort:** elementary
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "Equation Group DLL_U Load"
     
     Detects a specific tool and export used by EquationGroup
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.md
index 68d820a5bc..fdfd85089a 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.md
@@ -99,12 +99,6 @@ The following Sekoia.io built-in rules match the intake **Cato Networks SASE**.
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "Exfiltration Domain"
     
     Detects traffic toward a domain flagged as a possible exfiltration vector.
@@ -207,6 +201,12 @@ The following Sekoia.io built-in rules match the intake **Cato Networks SASE**.
     
     - **Effort:** master
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "Suspicious Download Links From Legitimate Services"
     
     Detects users clicking on Google docs links to download suspicious files. This technique was used a lot by Bazar Loader in the past.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.md
index 0a51dd7989..37e3362ede 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.md
@@ -15,12 +15,6 @@ The following Sekoia.io built-in rules match the intake **Cisco Duo Security**.
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "Exfiltration Domain"
     
     Detects traffic toward a domain flagged as a possible exfiltration vector.
@@ -75,6 +69,12 @@ The following Sekoia.io built-in rules match the intake **Cisco Duo Security**.
     
     - **Effort:** master
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "TOR Usage Generic Rule"
     
     Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.md
index 78fced0d25..40c11f846d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.md
@@ -51,6 +51,12 @@ The following Sekoia.io built-in rules match the intake **Cloudflare Access Requ
     
     - **Effort:** master
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "TOR Usage Generic Rule"
     
     Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.md
index edc44013d6..3e1ab9bb0c 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.md
@@ -105,12 +105,6 @@ The following Sekoia.io built-in rules match the intake **Fortinet FortiMail**.
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "EvilProxy Phishing Domain"
     
     Detects subdomains potentially generated by the EvilProxy adversary-in-the-middle phishing platform. Inspect the other subdomains of the domain to identify the landing page, and determine if the user submitted credentials. This rule has a small percentage of false positives on legitimate domains.
@@ -207,6 +201,12 @@ The following Sekoia.io built-in rules match the intake **Fortinet FortiMail**.
     
     - **Effort:** master
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "Suspicious Download Links From Legitimate Services"
     
     Detects users clicking on Google docs links to download suspicious files. This technique was used a lot by Bazar Loader in the past.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.md
index 646fffcc5a..92a586cb20 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.md
@@ -15,12 +15,6 @@ The following Sekoia.io built-in rules match the intake **Cloudflare Audit logs*
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "Exfiltration Domain"
     
     Detects traffic toward a domain flagged as a possible exfiltration vector.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.md
index f4dfd88cdd..5e95cbe8eb 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.md
@@ -45,6 +45,18 @@ The following Sekoia.io built-in rules match the intake **Infoblox DDI**. This d
     
     - **Effort:** master
 
+??? abstract "Internet Scanner"
+    
+    Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP. This could be a very noisy rule, so be careful to check your detection perimeter before activation.
+    
+    - **Effort:** master
+
+??? abstract "Internet Scanner Target"
+    
+    Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP and group by target address. This could be a very noisy rule, so be careful to check your detection perimeter before activation.
+    
+    - **Effort:** master
+
 ??? abstract "Potential DNS Tunnel"
     
     Detects domain name which is longer than 95 characters. Long domain names are distinctive of DNS tunnels.
@@ -93,6 +105,12 @@ The following Sekoia.io built-in rules match the intake **Infoblox DDI**. This d
     
     - **Effort:** advanced
 
+??? abstract "TOR Usage"
+    
+    Detects TOR usage, based on the IP address and the destination port (filtered on NTP). TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
+    
+    - **Effort:** master
+
 ??? abstract "TOR Usage Generic Rule"
     
     Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md
index d10be95279..02078b4efd 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md
@@ -189,12 +189,6 @@ The following Sekoia.io built-in rules match the intake **Palo Alto NGFW**. This
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "EvilProxy Phishing Domain"
     
     Detects subdomains potentially generated by the EvilProxy adversary-in-the-middle phishing platform. Inspect the other subdomains of the domain to identify the landing page, and determine if the user submitted credentials. This rule has a small percentage of false positives on legitimate domains.
@@ -399,6 +393,12 @@ The following Sekoia.io built-in rules match the intake **Palo Alto NGFW**. This
     
     - **Effort:** master
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "Suspicious Download Links From Legitimate Services"
     
     Detects users clicking on Google docs links to download suspicious files. This technique was used a lot by Bazar Loader in the past.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.md
index d0055ff886..584710c3ca 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.md
@@ -171,12 +171,6 @@ The following Sekoia.io built-in rules match the intake **Netskope Transaction E
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "Exfiltration Domain"
     
     Detects traffic toward a domain flagged as a possible exfiltration vector.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.md
index 77c2890047..13a00e1ac5 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_a9c959ac-78ec-47a4-924e-8156a77cebf5_do_not_edit_manually.md
@@ -615,12 +615,6 @@ The following Sekoia.io built-in rules match the intake **OCSF [BETA]**. This do
     
     - **Effort:** elementary
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "Equation Group DLL_U Load"
     
     Detects a specific tool and export used by EquationGroup
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.md
index b60e6f72b6..58c3cd755b 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.md
@@ -63,6 +63,12 @@ The following Sekoia.io built-in rules match the intake **FreeRADIUS**. This doc
     
     - **Effort:** master
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "TOR Usage"
     
     Detects TOR usage, based on the IP address and the destination port (filtered on NTP). TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md
index 456fd0105d..f64db4dacf 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md
@@ -207,12 +207,6 @@ The following Sekoia.io built-in rules match the intake **Microsoft 365 / Office
     
     - **Effort:** elementary
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit (Mamba 2FA)"
     
     Detects a sign-in attempt with known characteristics of the adversary-in-the-middle phishing kit tracked by Sekoia.io as Mamba 2FA.
@@ -639,6 +633,12 @@ The following Sekoia.io built-in rules match the intake **Microsoft 365 / Office
     
     - **Effort:** master
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "Socat Relaying Socket"
     
     Socat is a linux tool used to relay local socket or internal network connection, this technics is often used by attacker to bypass security equipment such as firewall
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.md
index 1600fa9318..a0879df485 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.md
@@ -27,12 +27,6 @@ The following Sekoia.io built-in rules match the intake **Cloudflare Gateway Net
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "EvilProxy Phishing Domain"
     
     Detects subdomains potentially generated by the EvilProxy adversary-in-the-middle phishing platform. Inspect the other subdomains of the domain to identify the landing page, and determine if the user submitted credentials. This rule has a small percentage of false positives on legitimate domains.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.md
index 92293c929f..e213292f87 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.md
@@ -207,12 +207,6 @@ The following Sekoia.io built-in rules match the intake **Salesforce**. This doc
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "Exfiltration Domain"
     
     Detects traffic toward a domain flagged as a possible exfiltration vector.
@@ -345,6 +339,12 @@ The following Sekoia.io built-in rules match the intake **Salesforce**. This doc
     
     - **Effort:** elementary
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "Suspicious Download Links From Legitimate Services"
     
     Detects users clicking on Google docs links to download suspicious files. This technique was used a lot by Bazar Loader in the past.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.md
index ec3706bba9..cce2684eeb 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.md
@@ -63,12 +63,6 @@ The following Sekoia.io built-in rules match the intake **WatchGuard Firebox**.
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "EvilProxy Phishing Domain"
     
     Detects subdomains potentially generated by the EvilProxy adversary-in-the-middle phishing platform. Inspect the other subdomains of the domain to identify the landing page, and determine if the user submitted credentials. This rule has a small percentage of false positives on legitimate domains.
@@ -171,6 +165,12 @@ The following Sekoia.io built-in rules match the intake **WatchGuard Firebox**.
     
     - **Effort:** master
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "Sliver DNS Beaconing"
     
     Detects suspicious DNS queries known from Sliver beaconing 
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.md
index 2cccf2c5e7..04b33e659f 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.md
@@ -225,12 +225,6 @@ The following Sekoia.io built-in rules match the intake **Zscaler Internet Acces
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "EvilProxy Phishing Domain"
     
     Detects subdomains potentially generated by the EvilProxy adversary-in-the-middle phishing platform. Inspect the other subdomains of the domain to identify the landing page, and determine if the user submitted credentials. This rule has a small percentage of false positives on legitimate domains.
@@ -399,6 +393,12 @@ The following Sekoia.io built-in rules match the intake **Zscaler Internet Acces
     
     - **Effort:** elementary
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "Sliver DNS Beaconing"
     
     Detects suspicious DNS queries known from Sliver beaconing 
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.md
index e599e67c79..450b92b06e 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.md
@@ -123,12 +123,6 @@ The following Sekoia.io built-in rules match the intake **Netskope**. This docum
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "Exfiltration Domain"
     
     Detects traffic toward a domain flagged as a possible exfiltration vector.
@@ -297,6 +291,12 @@ The following Sekoia.io built-in rules match the intake **Netskope**. This docum
     
     - **Effort:** master
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "Suspicious Download Links From Legitimate Services"
     
     Detects users clicking on Google docs links to download suspicious files. This technique was used a lot by Bazar Loader in the past.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.md
index 17ed7cbbf3..67ee4edc35 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.md
@@ -15,12 +15,6 @@ The following Sekoia.io built-in rules match the intake **Okta**. This documenta
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "Exfiltration Domain"
     
     Detects traffic toward a domain flagged as a possible exfiltration vector.
@@ -237,6 +231,12 @@ The following Sekoia.io built-in rules match the intake **Okta**. This documenta
     
     - **Effort:** master
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "TOR Usage Generic Rule"
     
     Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_ea265b9d-fb48-4e92-9c26-dcfbf937b630_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_ea265b9d-fb48-4e92-9c26-dcfbf937b630_do_not_edit_manually.md
index 968618a5c6..66af174765 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_ea265b9d-fb48-4e92-9c26-dcfbf937b630_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_ea265b9d-fb48-4e92-9c26-dcfbf937b630_do_not_edit_manually.md
@@ -189,12 +189,6 @@ The following Sekoia.io built-in rules match the intake **Palo Alto Prisma acces
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "EvilProxy Phishing Domain"
     
     Detects subdomains potentially generated by the EvilProxy adversary-in-the-middle phishing platform. Inspect the other subdomains of the domain to identify the landing page, and determine if the user submitted credentials. This rule has a small percentage of false positives on legitimate domains.
@@ -399,6 +393,12 @@ The following Sekoia.io built-in rules match the intake **Palo Alto Prisma acces
     
     - **Effort:** master
 
+??? abstract "Sign-In Via Known AiTM Phishing Kit"
+    
+    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
+    
+    - **Effort:** elementary
+
 ??? abstract "Suspicious Download Links From Legitimate Services"
     
     Detects users clicking on Google docs links to download suspicious files. This technique was used a lot by Bazar Loader in the past.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.md
index d88bb64d75..0b6dfbcf8e 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.md
@@ -207,12 +207,6 @@ The following Sekoia.io built-in rules match the intake **Cloudflare Gateway HTT
     
     - **Effort:** master
 
-??? abstract "Entra ID Sign-In Via Known AiTM Phishing Kit"
-    
-    Detects a sign-in attempt from an IP address belonging to a known adversary-in-the-middle phishing kit.
-    
-    - **Effort:** elementary
-
 ??? abstract "EvilProxy Phishing Domain"
     
     Detects subdomains potentially generated by the EvilProxy adversary-in-the-middle phishing platform. Inspect the other subdomains of the domain to identify the landing page, and determine if the user submitted credentials. This rule has a small percentage of false positives on legitimate domains.
diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
index 45825958d1..41e1a8c105 100644
--- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md
+++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
@@ -1,6 +1,6 @@
 # Built-in detection rules, EventIDs and EventProviders relations
 SEKOIA.IO provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture.
-This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-12-11_
+This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-12-12_
 
 The colors of the EventIDs in this page should be interpreted as follow: