From aa11a671bf15d2faad97a0c5dcce755d6ccb5056 Mon Sep 17 00:00:00 2001
From: Car0l1n3 <129948848+Car0l1n3@users.noreply.github.com>
Date: Wed, 10 Jul 2024 15:42:51 +0000
Subject: [PATCH] Refresh Built-in detection rules documentation
---
...f5e-a585fc7c8fc0_do_not_edit_manually.json | 2 +-
...41e-af269b45bef1_do_not_edit_manually.json | 2 +-
...7d1-588319e39d71_do_not_edit_manually.json | 2 +-
...5c4-c8174c307e48_do_not_edit_manually.json | 2 +-
...b24-902c9daa2d3c_do_not_edit_manually.json | 2 +-
...06d-f92f3a46bcdd_do_not_edit_manually.json | 2 +-
...575-9e43af779f9f_do_not_edit_manually.json | 2 +-
...5e2-4597e366b8c4_do_not_edit_manually.json | 2 +-
...02e-e88fe2193365_do_not_edit_manually.json | 2 +-
...dc1-0242ac120002_do_not_edit_manually.json | 2 +-
...803-e7990afe78b6_do_not_edit_manually.json | 2 +-
...b17-90c0be6b1f10_do_not_edit_manually.json | 2 +-
...9b6-76bf5298a617_do_not_edit_manually.json | 2 +-
...fbd-01e3fac01cd5_do_not_edit_manually.json | 2 +-
...13a-f8dd48cddc8c_do_not_edit_manually.json | 2 +-
...46b-974354a107bb_do_not_edit_manually.json | 2 +-
...cfd-43f7d9595777_do_not_edit_manually.json | 2 +-
...176-f1fa13589eea_do_not_edit_manually.json | 2 +-
...d19-67edc91fb063_do_not_edit_manually.json | 2 +-
...c1c-46804e636084_do_not_edit_manually.json | 2 +-
...e06-7b335e439c29_do_not_edit_manually.json | 2 +-
...030-e9b92168bbf4_do_not_edit_manually.json | 2 +-
...916-636c27ba4931_do_not_edit_manually.json | 2 +-
...b02-e72f870fcbd1_do_not_edit_manually.json | 2 +-
...58e-81b9418e6584_do_not_edit_manually.json | 2 +-
...901-b7fadfb0ba48_do_not_edit_manually.json | 2 +-
...038-3f7d5a3b8b11_do_not_edit_manually.json | 2 +-
...976-250cba2eaf5b_do_not_edit_manually.json | 2 +-
...00a-2b58303cac90_do_not_edit_manually.json | 2 +-
...e47-1574946412b6_do_not_edit_manually.json | 2 +-
...27a-d619f2bb584a_do_not_edit_manually.json | 2 +-
...750-5db882ea1266_do_not_edit_manually.json | 2 +-
...87f-48a3dc07d4d3_do_not_edit_manually.json | 2 +-
...833-e971451b2979_do_not_edit_manually.json | 2 +-
...e19-e38e167432a1_do_not_edit_manually.json | 2 +-
...033-6f1f887a70f2_do_not_edit_manually.json | 2 +-
...597-d2944a601930_do_not_edit_manually.json | 2 +-
...6bd-91a447bb26bd_do_not_edit_manually.json | 2 +-
...846-6f2a794583e1_do_not_edit_manually.json | 2 +-
...f3b-f73a622c9687_do_not_edit_manually.json | 2 +-
...c99-5c2de7e1d340_do_not_edit_manually.json | 2 +-
...4fa-28d6c1f2e2a8_do_not_edit_manually.json | 2 +-
...d69-684a0b3835fc_do_not_edit_manually.json | 2 +-
...d60-8fd5e39140b3_do_not_edit_manually.json | 2 +-
...4e0-4f0c0f9138b8_do_not_edit_manually.json | 2 +-
...109-c6d85b91bbcf_do_not_edit_manually.json | 2 +-
...703-7452882e70da_do_not_edit_manually.json | 2 +-
...2ff-0e1cde564161_do_not_edit_manually.json | 2 +-
...630-da4fcdb8d5f1_do_not_edit_manually.json | 2 +-
...f81-30df7b1963a0_do_not_edit_manually.json | 2 +-
...e09-44d31626b694_do_not_edit_manually.json | 2 +-
...876-85102b18d832_do_not_edit_manually.json | 2 +-
...6cc-0ca31abd5d24_do_not_edit_manually.json | 2 +-
...28f-3ee3cd5b9a8e_do_not_edit_manually.json | 2 +-
...47b-ef64dd87c981_do_not_edit_manually.json | 2 +-
...9a2-fd8ffbcdff50_do_not_edit_manually.json | 2 +-
...861-0253b15de650_do_not_edit_manually.json | 2 +-
...746-b2b9f366e34b_do_not_edit_manually.json | 2 +-
...780-b225c59e9f99_do_not_edit_manually.json | 2 +-
...1f3-49e3993c16f5_do_not_edit_manually.json | 2 +-
...546-98539fc07725_do_not_edit_manually.json | 2 +-
...3ea-b9be92914fa2_do_not_edit_manually.json | 2 +-
...c61-6794fd44d9a8_do_not_edit_manually.json | 2 +-
...6db-90fcdd7236f1_do_not_edit_manually.json | 2 +-
...f2d-eed5013fe463_do_not_edit_manually.json | 2 +-
...4cf-3e64787c1c39_do_not_edit_manually.json | 2 +-
...60f-2d3fd0b46987_do_not_edit_manually.json | 2 +-
...c15-3828627ba899_do_not_edit_manually.json | 2 +-
...7a6-d575ffcb29f7_do_not_edit_manually.json | 2 +-
...5de-5c2722fa020e_do_not_edit_manually.json | 2 +-
...a62-49fa5f2c9206_do_not_edit_manually.json | 2 +-
...d8b-08d6315e1ef6_do_not_edit_manually.json | 2 +-
...893-a48b6903d871_do_not_edit_manually.json | 2 +-
...70f-fd3b54ba1fe4_do_not_edit_manually.json | 2 +-
...e15-4b99a12b754c_do_not_edit_manually.json | 2 +-
...fb3-f7c543fd84a5_do_not_edit_manually.json | 2 +-
...b6d-3f79045f28fa_do_not_edit_manually.json | 2 +-
...a81-31090d723a60_do_not_edit_manually.json | 2 +-
...bc9-74be1e0ca1c1_do_not_edit_manually.json | 2 +-
...cbb-bc830118c1f9_do_not_edit_manually.json | 2 +-
...079-ab35ac6b2ab9_do_not_edit_manually.json | 2 +-
...d7f-a0c39a2b2279_do_not_edit_manually.json | 2 +-
...398-031afe91faa0_do_not_edit_manually.json | 2 +-
...b3d-b7cb7b7db618_do_not_edit_manually.json | 2 +-
...079-3dd25d472e0a_do_not_edit_manually.json | 2 +-
...96a-8808b3c6cade_do_not_edit_manually.json | 2 +-
...18d-26e1e3b2409c_do_not_edit_manually.json | 2 +-
...f1d-772e9a30f0dd_do_not_edit_manually.json | 2 +-
...729-8cbc9c65be55_do_not_edit_manually.json | 2 +-
...563-db21da09cafd_do_not_edit_manually.json | 2 +-
...78a-51d62e84c8df_do_not_edit_manually.json | 2 +-
...4db-d6a2300f5580_do_not_edit_manually.json | 2 +-
...bcc-45fd108ba1be_do_not_edit_manually.json | 2 +-
...427-621541e881d5_do_not_edit_manually.json | 2 +-
...93f-bbd70d114188_do_not_edit_manually.json | 2 +-
...90d-9af2f7be7019_do_not_edit_manually.json | 2 +-
...76c-408472fcfebb_do_not_edit_manually.json | 2 +-
...1ed-b9e88f05e67a_do_not_edit_manually.json | 2 +-
...462-cf7fc8bcd51a_do_not_edit_manually.json | 2 +-
...060-a9d9f2d270db_do_not_edit_manually.json | 2 +-
...dd4-30f1870e3d03_do_not_edit_manually.json | 2 +-
...afa-595bd430c0cb_do_not_edit_manually.json | 2 +-
...f79-da99b487b1af_do_not_edit_manually.json | 2 +-
...e37-842703494be0_do_not_edit_manually.json | 2 +-
...ae5-aa67d2f29fcb_do_not_edit_manually.json | 2 +-
...6fc-8f8b2c617466_do_not_edit_manually.json | 2 +-
...55c-34d2301c1f51_do_not_edit_manually.json | 2 +-
...f5b-6968f8ac04ba_do_not_edit_manually.json | 2 +-
...0b6-7df6738d5d7f_do_not_edit_manually.json | 2 +-
...659-9bf0e577944f_do_not_edit_manually.json | 2 +-
...79a-f97be24cc02d_do_not_edit_manually.json | 2 +-
...e56-0242ac120002_do_not_edit_manually.json | 2 +-
...763-aad3451821e5_do_not_edit_manually.json | 2 +-
...0ce-dbcae04eaf26_do_not_edit_manually.json | 2 +-
...b7a-4f2d0a518b04_do_not_edit_manually.json | 2 +-
...475-a7f43754ab6d_do_not_edit_manually.json | 2 +-
...5aa-2a6a900df99b_do_not_edit_manually.json | 2 +-
...3ba-652eca2e8ed0_do_not_edit_manually.json | 2 +-
...895-c8769a749d45_do_not_edit_manually.json | 2 +-
...b61-836b2d45a742_do_not_edit_manually.json | 2 +-
...04b-ebda6756db60_do_not_edit_manually.json | 2 +-
...43e-9848cadb1f99_do_not_edit_manually.json | 2 +-
...844-f7f4d7348199_do_not_edit_manually.json | 2 +-
...a2c-6a89635d8615_do_not_edit_manually.json | 2 +-
...a64-fb65d4b0a4cf_do_not_edit_manually.json | 2 +-
...847-983f38efb8ff_do_not_edit_manually.json | 2 +-
...602-a5994544d9ed_do_not_edit_manually.json | 2 +-
...e3d-587fdd99a421_do_not_edit_manually.json | 2 +-
...bb3-f0290b99f014_do_not_edit_manually.json | 2 +-
...723-84060aeb5529_do_not_edit_manually.json | 2 +-
...f71-46155af56570_do_not_edit_manually.json | 2 +-
...15f-1f83807ff3cc_do_not_edit_manually.json | 2 +-
...9e6-ee5a00ee0956_do_not_edit_manually.json | 2 +-
...fa0-c63661820941_do_not_edit_manually.json | 2 +-
...73d-6eb8b982afcd_do_not_edit_manually.json | 2 +-
...9c5-e075f3fb3216_do_not_edit_manually.json | 2 +-
...e89-f2b8be4baf4e_do_not_edit_manually.json | 2 +-
...8ed-b7fb3d7fa232_do_not_edit_manually.json | 2 +-
...785-c1276277b5d7_do_not_edit_manually.json | 2 +-
...ea4-247b12b3d74b_do_not_edit_manually.json | 2 +-
...e0e-ca4e6cecf7e6_do_not_edit_manually.json | 2 +-
...09d-cf0e5daf3ccd_do_not_edit_manually.json | 2 +-
...af5-b69c7b679887_do_not_edit_manually.json | 2 +-
...d9d-1a018cd8c4bb_do_not_edit_manually.json | 2 +-
...cb6-2f574bd4ce51_do_not_edit_manually.json | 2 +-
...671-77903dc8de69_do_not_edit_manually.json | 2 +-
...399-ddd992d48472_do_not_edit_manually.json | 2 +-
...c2d-e2cfa46bf0e5_do_not_edit_manually.json | 2 +-
...098-fe4a9e0aeaa0_do_not_edit_manually.json | 2 +-
...15a-a4b010d9a872_do_not_edit_manually.json | 2 +-
...7e6-7e0948e12415_do_not_edit_manually.json | 2 +-
...0ca-b33f9b27f3d9_do_not_edit_manually.json | 2 +-
...in_rules_changelog_do_not_edit_manually.md | 396 +++----
.../built_in_rules_do_not_edit_manually.md | 9 +-
...-97d1-588319e39d71_do_not_edit_manually.md | 6 -
...-85c4-c8174c307e48_do_not_edit_manually.md | 6 -
...-a5e2-4597e366b8c4_do_not_edit_manually.md | 6 -
...-802e-e88fe2193365_do_not_edit_manually.md | 6 -
...-a9b6-76bf5298a617_do_not_edit_manually.md | 6 -
...-8176-f1fa13589eea_do_not_edit_manually.md | 6 -
...-9d19-67edc91fb063_do_not_edit_manually.md | 6 -
...-8038-3f7d5a3b8b11_do_not_edit_manually.md | 6 -
...-9833-e971451b2979_do_not_edit_manually.md | 6 -
...-8033-6f1f887a70f2_do_not_edit_manually.md | 6 -
...-96bd-91a447bb26bd_do_not_edit_manually.md | 6 -
...-af3b-f73a622c9687_do_not_edit_manually.md | 6 -
...-a109-c6d85b91bbcf_do_not_edit_manually.md | 6 -
...-a47b-ef64dd87c981_do_not_edit_manually.md | 6 -
...-b861-0253b15de650_do_not_edit_manually.md | 6 -
...-b780-b225c59e9f99_do_not_edit_manually.md | 6 -
...-8a62-49fa5f2c9206_do_not_edit_manually.md | 6 -
...-8fb3-f7c543fd84a5_do_not_edit_manually.md | 6 -
...-bf1d-772e9a30f0dd_do_not_edit_manually.md | 6 -
...-a76c-408472fcfebb_do_not_edit_manually.md | 6 -
...-9462-cf7fc8bcd51a_do_not_edit_manually.md | 6 -
...-b060-a9d9f2d270db_do_not_edit_manually.md | 6 -
...-bf79-da99b487b1af_do_not_edit_manually.md | 6 -
...-85aa-2a6a900df99b_do_not_edit_manually.md | 6 -
...-b895-c8769a749d45_do_not_edit_manually.md | 6 +
...-943e-9848cadb1f99_do_not_edit_manually.md | 6 -
...-a847-983f38efb8ff_do_not_edit_manually.md | 6 -
...-a602-a5994544d9ed_do_not_edit_manually.md | 6 -
...-bf71-46155af56570_do_not_edit_manually.md | 6 -
...-8e0e-ca4e6cecf7e6_do_not_edit_manually.md | 6 -
...-baf5-b69c7b679887_do_not_edit_manually.md | 6 -
...-9d9d-1a018cd8c4bb_do_not_edit_manually.md | 6 -
...-8671-77903dc8de69_do_not_edit_manually.md | 6 -
...-a399-ddd992d48472_do_not_edit_manually.md | 6 -
...-9098-fe4a9e0aeaa0_do_not_edit_manually.md | 6 -
...-915a-a4b010d9a872_do_not_edit_manually.md | 6 -
.../built_in_detection_rules_eventids.md | 965 +++++++++---------
191 files changed, 845 insertions(+), 1045 deletions(-)
diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
index 8eeaa28439..622acfd751 100644
--- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Windows Installer Execution, CertOC Loading Dll, MavInject Process Injection, Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Lazarus Loaders, MalwareBytes Uninstallation, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Raccine Uninstall, WMIC Uninstall Product, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Linux Bash Reverse Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Taskkill Command, WMIC Uninstall Product, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMIC Uninstall Product, Wmic Service Call, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
index 9fa4836ccb..0a51840a42 100644
--- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Python Offensive Tools and Packages, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Suspicious Control Process, Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Control Panel Items, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Exfiltration Via Pscp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Empire Monkey Activity"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, SSH Tunnel Traffic, SSH X11 Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File and Directory Permissions Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, SSH Tunnel Traffic, SSH X11 Forwarding, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Aspnet Compiler, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Binary Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Windows Installer Execution, MavInject Process Injection, xWizard Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, Suspicious Control Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
index beedf506f5..1f474b1b8e 100644
--- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
index 9ea53bd142..3d39bb0c60 100644
--- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Python Offensive Tools and Packages, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WithSecure Elements Critical Severity, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Exploiting SetupComplete.cmd CVE-2019-1378, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Empire Monkey Activity, Suspicious Rundll32.exe Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Package Manager Alteration, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Netsh Program Allowed With Suspicious Location, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Exfiltration Via Pscp, WithSecure Elements Critical Severity, SolarWinds Suspicious File Creation, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, Cookies Deletion, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Download Files From Non-Legitimate TLDs, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Download Files From Non-Legitimate TLDs, WithSecure Elements Critical Severity, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Tampering Detected, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal, ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Microsoft Defender Antivirus Threat Detected, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Aspnet Compiler, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), WithSecure Elements Critical Severity, Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, SolarWinds Suspicious File Creation, PsExec Process, WithSecure Elements Critical Severity, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, WithSecure Elements Critical Severity, Sysmon Windows File Block Executable"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Sysmon Windows File Block Executable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
index 1f7d93aae8..20a81ea809 100644
--- a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Mimecast Email Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Mimecast Email Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
index 812c80f0fe..8c0079ebf8 100644
--- a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace User Deletion, Google Workspace User Suspended, Google Workspace Admin Deletion"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Domain Delegation, Google Workspace Admin Modification"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Admin Creation, Google Workspace Account Warning"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace MFA changed, Google Workspace Password Change"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace User Deletion, Google Workspace User Suspended, Google Workspace Admin Deletion"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Domain Delegation, Google Workspace Admin Modification"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Account Warning, Google Workspace Admin Creation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace MFA changed, Google Workspace Password Change"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
index f57dd3c37b..ae14ad6a03 100644
--- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Winword wrong parent, Microsoft Defender XDR Endpoint Alert, Windows Update LolBins, Microsoft Defender XDR Cloud App Security Alert, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Microsoft Defender XDR Alert, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Microsoft Defender XDR Office 365 Alert, Exfiltration Via Pscp, Lsass Wrong Parent, Svchost Wrong Parent, SolarWinds Suspicious File Creation, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Interactive Terminal Spawned via Python, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Python Offensive Tools and Packages, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Outlook Child Process, Lazarus Loaders, MalwareBytes Uninstallation, Microsoft Defender XDR Endpoint Alert, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, Microsoft Defender XDR Cloud App Security Alert, Phorpiex DriveMgr Command, Elise Backdoor, Socat Relaying Socket, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Microsoft Defender XDR Alert, QakBot Process Creation, Microsoft Office Spawning Script, Microsoft Defender XDR Office 365 Alert, XSL Script Processing And SquiblyTwo Attack, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Disabled Service, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, FLTMC command usage, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Disabled Service, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender XDR Cloud App Security Alert, Microsoft Office Spawning Script, Microsoft Defender XDR Office 365 Alert, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Microsoft Defender XDR Endpoint Alert, Microsoft Defender XDR Alert, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Winword Document Droppers"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Disabled Service, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, SELinux Disabling, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disabled Service, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, SELinux Disabling, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, FLTMC command usage, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Microsoft Defender XDR Office 365 Alert, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Microsoft Defender XDR Endpoint Alert, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, DNS Exfiltration and Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Aspnet Compiler, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Malicious Nishang PowerShell Commandlets, Socat Relaying Socket, Microsoft Defender XDR Alert, Suspicious Outlook Child Process, Powershell Web Request, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, Socat Reverse Shell Detection, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Defender XDR Cloud App Security Alert, Sekoia.io EICAR Detection, QakBot Process Creation, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, SOCKS Tunneling Tool, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, MavInject Process Injection, Smss Wrong Parent, Wmiprvse Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, SolarWinds Suspicious File Creation, Microsoft Defender XDR Office 365 Alert, PsExec Process, Suspicious DNS Child Process, Taskhost Wrong Parent, Microsoft Defender XDR Endpoint Alert, Winword wrong parent, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Winrshost Wrong Parent, Microsoft Defender XDR Alert, Svchost Wrong Parent, Wininit Wrong Parent, Csrss Wrong Parent, Microsoft Defender XDR Cloud App Security Alert, SolarWinds Wrong Child Process, Userinit Wrong Parent, Windows Update LolBins, Winlogon wrong parent, Exfiltration Via Pscp, Taskhostw Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Disable Workstation Lock, Blue Mockingbird Malware, FlowCloud Malware"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Python HTTP Server, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, MOFComp Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CertOC Loading Dll"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Microsoft Defender XDR Cloud App Security Alert, Microsoft Defender XDR Alert, Explorer Process Executing HTA File, Microsoft Defender XDR Office 365 Alert, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Microsoft Defender XDR Endpoint Alert, Microsoft Office Spawning Script"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Wininit Wrong Parent, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
index 95373855b8..65d101c0a4 100644
--- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
index 87cfb80bd8..2928ad5644 100644
--- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Trend Micro Apex One Data Loss Prevention Alert, PowerShell Download From URL, Python Offensive Tools and Packages, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, MalwareBytes Uninstallation, Trend Micro Apex One Malware Alert, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Empire Monkey Activity, Suspicious Rundll32.exe Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Exfiltration Via Pscp, Trend Micro Apex One Data Loss Prevention Alert, SolarWinds Suspicious File Creation, Trend Micro Apex One Malware Alert"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Trend Micro Apex One Data Loss Prevention Alert, Trend Micro Apex One Malware Alert, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression, Cookies Deletion"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Impacket Addcomputer, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, WMIC Uninstall Product, Phorpiex DriveMgr Command, Trend Micro Apex One Malware Alert, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Aspnet Compiler, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Trend Micro Apex One Data Loss Prevention Alert, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Trend Micro Apex One Data Loss Prevention Alert, SolarWinds Suspicious File Creation, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Trend Micro Apex One Malware Alert"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Potential DNS Tunnel"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Trend Micro Apex One Data Loss Prevention Alert, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Trend Micro Apex One Malware Alert"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
index e80cae8ed0..87609ca363 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
index 577be74f81..eb444d651e 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Windows Installer Execution, CertOC Loading Dll, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Specific, SentinelOne EDR Threat Detected (Suspicious), PowerShell EncodedCommand, PowerShell Commands Invocation, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Mitigation Report Remediate Success, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Detected (Malicious), Phorpiex DriveMgr Command, SentinelOne EDR SSO User Added, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, SentinelOne EDR Custom Rule Alert, Default Encoding To UTF-8 PowerShell, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Agent Disabled, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Suspicious Cmd.exe Command Line, SentinelOne EDR Threat Mitigation Report Quarantine Success, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Detected (Suspicious), SolarWinds Wrong Child Process, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Agent Disabled, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR SSO User Added, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Kill Success"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Package Manager Alteration, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Agent Disabled, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR SSO User Added, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Download Files From Suspicious TLDs, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Malicious Threat Not Mitigated, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Threat Mitigation Report Kill Success"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Package Manager Alteration, Raccine Uninstall, WMIC Uninstall Product, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Debugging Software Deactivation, FLTMC command usage, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, SentinelOne EDR SSO User Added, Default Encoding To UTF-8 PowerShell, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Linux Bash Reverse Shell, SentinelOne EDR User Logged In To The Management Console, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Exfiltration and Tunneling Tools Execution, SentinelOne EDR Threat Mitigation Report Remediate Success, WMIC Uninstall Product, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Quarantine Success, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SentinelOne EDR Threat Detected (Suspicious), SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Agent Disabled, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Lazarus Loaders, Sekoia.io EICAR Detection, Suspicious Cmd.exe Command Line, SentinelOne EDR Threat Mitigation Report Kill Success, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Impacket Wmiexec Module, WMI Install Of Binary, WMIC Uninstall Product, Wmic Service Call, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Formbook Hijacked Process Command, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Agent Disabled, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Mitigation Report Remediate Success, SolarWinds Wrong Child Process, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Quarantine Success, Usage Of Procdump With Common Arguments, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Suspicious)"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Agent Disabled, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), MS Office Product Spawning Exe in User Dir, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR User Failed To Log In To The Management Console, Download Files From Suspicious TLDs, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Suspicious)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
index 59cdf55406..89a8968de3 100644
--- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
index a9a22161be..f4c8aa0ce4 100644
--- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Outlook Child Process, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Package Manager Alteration, FLTMC command usage, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, PsExec Process, SolarWinds Wrong Child Process, Winword wrong parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, PsExec Process, SolarWinds Wrong Child Process, Exfiltration Via Pscp, Winword wrong parent, Windows Update LolBins"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Explorer Wrong Parent, SolarWinds Wrong Child Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Explorer Wrong Parent, SolarWinds Wrong Child Process, New Service Creation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, FLTMC command usage, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Aspnet Compiler, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Outlook Child Process, Powershell Web Request, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, QakBot Process Creation, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, MOFComp Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CertOC Loading Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, Suspicious Outlook Child Process, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Microsoft Office Spawning Script"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winword wrong parent, SolarWinds Wrong Child Process, PsExec Process, Suspicious DNS Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winword wrong parent, SolarWinds Wrong Child Process, PsExec Process, Suspicious DNS Child Process, Windows Update LolBins, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Network Connection Via Certutil"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
index abc5133203..9d4e5a7780 100644
--- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Winword wrong parent, Windows Update LolBins, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Exfiltration Via Pscp, Lsass Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Interactive Terminal Spawned via Python, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Python Offensive Tools and Packages, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Outlook Child Process, Lazarus Loaders, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Elise Backdoor, Socat Relaying Socket, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Disabled Service, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, FLTMC command usage, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, AMSI Deactivation Using Registry Key, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Disabled Service, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Download Files From Non-Legitimate TLDs, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Download Files From Non-Legitimate TLDs, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Disabled Service, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, SELinux Disabling, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disabled Service, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, SELinux Disabling, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, FLTMC command usage, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, DNS Exfiltration and Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Malicious Nishang PowerShell Commandlets, Socat Relaying Socket, Suspicious Outlook Child Process, Powershell Web Request, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, Socat Reverse Shell Detection, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, QakBot Process Creation, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, SOCKS Tunneling Tool, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, MavInject Process Injection, Smss Wrong Parent, Wmiprvse Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Windows Update LolBins, Winlogon wrong parent, Exfiltration Via Pscp, Taskhostw Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Disable Workstation Lock, Blue Mockingbird Malware, FlowCloud Malware"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, MOFComp Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CertOC Loading Dll"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Microsoft Office Spawning Script"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Pandemic Windows Implant"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
index 933427ffab..a25613ae90 100644
--- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
index 2d7a76bc02..d39397d760 100644
--- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Token Issuer Anomaly"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Token Issuer Anomaly"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Malicious IP"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Malicious IP"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
index 56fdd71903..fabb4a27ba 100644
--- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
index b3a494be7b..00fa2c515e 100644
--- a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity, ExtraHop Reveal(x) 360 Intrusion Detection High Severity"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity, ExtraHop Reveal(x) 360 Intrusion Detection High Severity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
index 3006f1e1f9..7b199e3934 100644
--- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Windows Installer Execution, CertOC Loading Dll, MavInject Process Injection, Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, PowerShell EncodedCommand, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Lazarus Loaders, MalwareBytes Uninstallation, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Raccine Uninstall, WMIC Uninstall Product, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Linux Bash Reverse Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Taskkill Command, WMIC Uninstall Product, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMIC Uninstall Product, Wmic Service Call, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
index 514962f419..e5f05aad29 100644
--- a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
index 80a74b9f03..a35051d13f 100644
--- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: CrowdStrike Falcon Identity Protection Detection Informational Severity, PsExec Process, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, CrowdStrike Falcon Identity Protection Detection Medium Severity, Searchprotocolhost Child Found, Winword wrong parent, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, Windows Update LolBins, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Low Severity, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, CrowdStrike Falcon Identity Protection Detection High Severity, CrowdStrike Falcon Intrusion Detection High Severity, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Exfiltration Via Pscp, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, Svchost Wrong Parent, SolarWinds Suspicious File Creation, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent, CrowdStrike Falcon Identity Protection Detection Critical Severity"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, CrowdStrike Falcon Identity Protection Detection Informational Severity, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Trickbot Malware Activity, Python Offensive Tools and Packages, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, CrowdStrike Falcon Identity Protection Detection Medium Severity, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Outlook Child Process, Lazarus Loaders, MalwareBytes Uninstallation, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, CrowdStrike Falcon Identity Protection Detection Low Severity, Generic-reverse-shell-oneliner, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Low Severity, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, CrowdStrike Falcon Identity Protection Detection High Severity, Default Encoding To UTF-8 PowerShell, CrowdStrike Falcon Intrusion Detection High Severity, Exploiting SetupComplete.cmd CVE-2019-1378, QakBot Process Creation, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Cmd.exe Command Line, CrowdStrike Falcon Identity Protection Detection Critical Severity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, FLTMC command usage, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Netsh Program Allowed With Suspicious Location, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: CrowdStrike Falcon Mobile Detection Critical Severity, CrowdStrike Falcon Mobile Detection High Severity, SEKOIA.IO Intelligence Feed, Python HTTP Server, CrowdStrike Falcon Mobile Detection Medium Severity, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, CrowdStrike Falcon Mobile Detection Low Severity, Cryptomining, Dynamic DNS Contacted, CrowdStrike Falcon Mobile Detection Informational Severity"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Identity Protection Detection Informational Severity, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, CrowdStrike Falcon Identity Protection Detection Medium Severity, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Identity Protection Detection High Severity, CrowdStrike Falcon Intrusion Detection High Severity, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, CrowdStrike Falcon Identity Protection Detection Critical Severity"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, FLTMC command usage, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Smss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Critical Severity, MalwareBytes Uninstallation, CrowdStrike Falcon Intrusion Detection, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Intrusion Detection High Severity, AutoIt3 Execution From Suspicious Folder, WMIC Uninstall Product, Phorpiex DriveMgr Command, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Aspnet Compiler, CrowdStrike Falcon Identity Protection Detection Critical Severity, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Outlook Child Process, Powershell Web Request, CrowdStrike Falcon Identity Protection Detection Informational Severity, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, CrowdStrike Falcon Identity Protection Detection Medium Severity, QakBot Process Creation, Suspicious Cmd.exe Command Line, CrowdStrike Falcon Identity Protection Detection High Severity, Suspicious PrinterPorts Creation (CVE-2020-1048), Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, CrowdStrike Falcon Mobile Detection Medium Severity, CrowdStrike Falcon Mobile Detection Low Severity, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Mobile Detection Informational Severity, Python HTTP Server, Cryptomining, CrowdStrike Falcon Mobile Detection Critical Severity, Exfiltration And Tunneling Tools Execution, CrowdStrike Falcon Mobile Detection High Severity"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, MOFComp Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CertOC Loading Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Critical Severity, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, Explorer Process Executing HTA File, CrowdStrike Falcon Intrusion Detection High Severity, IcedID Execution Using Excel, Cobalt Strike Default Beacons Names, CrowdStrike Falcon Identity Protection Detection Critical Severity, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, Suspicious Outlook Child Process, CrowdStrike Falcon Identity Protection Detection Informational Severity, Microsoft Office Spawning Script, CrowdStrike Falcon Identity Protection Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection High Severity, Exploit For CVE-2015-1641"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, CrowdStrike Falcon Intrusion Detection Critical Severity, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, SolarWinds Suspicious File Creation, PsExec Process, CrowdStrike Falcon Intrusion Detection, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Wsmprovhost Wrong Parent, Logonui Wrong Parent, CrowdStrike Falcon Identity Protection Detection Critical Severity, Csrss Child Found, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, CrowdStrike Falcon Identity Protection Detection Informational Severity, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, CrowdStrike Falcon Identity Protection Detection Medium Severity, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, CrowdStrike Falcon Identity Protection Detection High Severity, Windows Update LolBins, Winlogon wrong parent, Exfiltration Via Pscp, CrowdStrike Falcon Intrusion Detection High Severity, Taskhostw Wrong Parent"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Potential DNS Tunnel"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
index 5655b973f4..4cc28fcadd 100644
--- a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Daspren Parad [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Daspren Parad [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
index 6f116d2bdb..2773ef103a 100644
--- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
index df3bf9fe8d..b7bcafb1b3 100644
--- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, APT29 Fake Google Update Service Install, Gpscript Suspicious Parent, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Cobalt Strike Default Service Creation Usage, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Chafer (APT 39) Activity, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent, StoneDrill Service Install, Malicious Service Installations"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, APT29 Fake Google Update Service Install, Gpscript Suspicious Parent, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Cobalt Strike Default Service Creation Usage, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Chafer (APT 39) Activity, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent, StoneDrill Service Install, Malicious Service Installations"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Gpscript Suspicious Parent, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Suspicious PsExec Execution, Windows Suspicious Service Creation, Metasploit PSExec Service Creation, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, Credential Dumping Tools Service Execution, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Smbexec.py Service Installation, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent, Malicious Service Installations"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Gpscript Suspicious Parent, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Check Point Harmony Mobile Application Forbidden, Searchprotocolhost Child Found, Winword wrong parent, Suspicious PsExec Execution, Windows Update LolBins, Windows Suspicious Service Creation, Microsoft Defender Antivirus Threat Detected, Metasploit PSExec Service Creation, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, Credential Dumping Tools Service Execution, SolarWinds Wrong Child Process, Exfiltration Via Pscp, Lsass Wrong Parent, Csrss Child Found, Smbexec.py Service Installation, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Malicious Service Installations"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Process Herpaderping, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Cobalt Strike Named Pipes, Searchprotocolhost Wrong Parent, Dynwrapx Module Loading, Spoolsv Wrong Parent, Svchost Wrong Parent, CreateRemoteThread Common Process Injection, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Process Hollowing Detection, Malicious Named Pipe"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Suspicious Scripting In A WMI Consumer, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, WMI Event Subscription, Sticky Key Like Backdoor Usage, Component Object Model Hijacking"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Suspicious LDAP-Attributes Used, Sliver DNS Beaconing, Cryptomining, Dynamic DNS Contacted, Suspicious Windows DNS Queries"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, STRRAT Scheduled Task, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Registry Key Used By Some Old Agent Tesla Samples, Ryuk Ransomware Persistence Registry Key, Narrator Feedback-Hub Persistence, Malware Persistence Registry Key, Svchost Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, DLL Load via LSASS Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Ryuk Ransomware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, Narrator Feedback-Hub Persistence, Suspicious desktop.ini Action, Malware Persistence Registry Key, Svchost Modification"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, Werfault DLL Injection, DNS ServerLevelPluginDll Installation, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, Windows Registry Persistence COM Search Order Hijacking, Hijack Legit RDP Session To Move Laterally, Werfault DLL Injection, Suspicious DLL side loading from ProgramData, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Replication User Backdoor, Active Directory Delegate To KRBTGT Service, Enabling Restricted Admin Mode, Mimikatz Basic Commands, Privileged AD Builtin Group Modified, User Added to Local Administrators, Active Directory User Backdoors, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed, GPO Executable Delivery"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line, Kerberos Pre-Auth Disabled in UAC, Suspicious Kerberos Ticket, Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, Invoke-TheHash Commandlets, WMIC Uninstall Product, Impacket Wmiexec Module, WMI DLL Loaded Via Office, WMImplant Hack Tool, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Malspam Execution Registering Malicious DLL, Suspicious CodePage Switch with CHCP, Suspicious DLL Loaded Via Office Applications, WMI DLL Loaded Via Office, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, PowerShell Malicious PowerShell Commandlets, Mustang Panda Dropper, PowerShell Download From URL, Suspicious DLL Loaded Via Office Applications, PowerShell NTFS Alternate Data Stream, Trickbot Malware Activity, Suspicious Scripting In A WMI Consumer, FromBase64String Command Line, Alternate PowerShell Hosts Pipe, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Credential Prompt, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Outlook Child Process, Lazarus Loaders, PowerShell Invoke Expression With Registry, MalwareBytes Uninstallation, Detection of default Mimikatz banner, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Threat Detected, Suspicious PowerShell Keywords, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Malicious PowerShell Keywords, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Generic, Powershell Web Request, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, In-memory PowerShell, PowerShell Downgrade Attack, QakBot Process Creation, Suspicious XOR Encoded PowerShell Command Line, Turla Named Pipes, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 1, PowerView commandlets 2, SCM Database Privileged Operation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, AD Privileged Users Or Groups Reconnaissance, Remote Privileged Group Enumeration, PowerView commandlets 2, Active Directory Data Export Using Csvde, PowerView commandlets 1, AD User Enumeration"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, PowerView commandlets 2, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 1, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, OceanLotus Registry Activity, DHCP Callout DLL Installation, Suspicious Desktopimgdownldr Execution, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Chafer (APT 39) Activity, Ursnif Registry Key, Remote Registry Management Using Reg Utility, Suspicious New Printer Ports In Registry, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock, Wdigest Enable UseLogonCredential, NetNTLM Downgrade Attack, RDP Port Change Using Powershell, DNS ServerLevelPluginDll Installation, FlowCloud Malware"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, RTLO Character, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Execution From Suspicious Folder, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility, Opening Of a Password File"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious PROCEXP152.sys File Created In Tmp, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Malware Protection Engine Crash, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Disable Windows Defender Credential Guard, Raccine Uninstall, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, AMSI Deactivation Using Registry Key, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Disabled IE Security Features, TrustedInstaller Impersonation, Dism Disabling Windows Defender, Windows Defender Deactivation Using PowerShell Script, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Ryuk Ransomware Command Line, Clear EventLogs Through CommandLine, FLTMC command usage, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious PROCEXP152.sys File Created In Tmp, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Malware Protection Engine Crash, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Configuration Changed, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Powershell AMSI Bypass, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, AMSI Deactivation Using Registry Key, Netsh Program Allowed With Suspicious Location, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Suspect Svchost Memory Access, Python Opening Ports, Netsh Allow Command, Disabled IE Security Features, TrustedInstaller Impersonation, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Defender Deactivation Using PowerShell Script, Disable Security Events Logging Adding Reg Key MiniNt, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Services, Windows Firewall Changes"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, MOFComp Execution, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Dynwrapx Module Loading, Suspicious Rundll32.exe Execution, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Certify Or Certipy, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Lsass Access Through WinRM, Impacket Secretsdump.py Tool, Rubeus Tool Command-line, SAM Registry Hive Handle Request, Active Directory Database Dump Via Ntdsutil, Credential Dumping By LaZagne, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, NetNTLM Downgrade Attack, Credential Dumping-Tools Common Named Pipes, Mimikatz Basic Commands, Copying Browser Files With Credentials, Transfering Files With Credential Data Via Network Shares, Windows Credential Editor Registry Key, LSASS Access From Non System Account, DPAPI Domain Backup Key Extraction, RedMimicry Winnti Playbook Dropped File, Suspicious CommandLine Lsassy Pattern, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump File Creation, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Dumpert LSASS Process Dumper, HackTools Suspicious Names, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cred Dump Tools Dropped Files, Active Directory Replication from Non Machine Account, LSASS Memory Dump, Process Memory Dump Using Createdump, Credential Dumping Tools Service Execution, Mimikatz LSASS Memory Access, Password Dumper Activity On LSASS, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Suspicious SAM Dump, Wdigest Enable UseLogonCredential, DCSync Attack, Process Memory Dump Using Rdrleakdiag, Malicious Service Installations"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Eventlog Cleared, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, Secure Deletion With SDelete, Cookies Deletion, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Secure Deletion With SDelete, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Invoke-TheHash Commandlets, PowerShell Malicious PowerShell Commandlets, PowerShell Download From URL, PowerShell NTFS Alternate Data Stream, FromBase64String Command Line, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Credential Prompt, Microsoft Defender Antivirus Disabled Base64 Encoded, Detection of default Mimikatz banner, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PowerShell Keywords, Malicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Generic, Powershell Web Request, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, In-memory PowerShell, Suspicious XOR Encoded PowerShell Command Line, Turla Named Pipes, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, User Added to Local Administrators, Account Added To A Security Enabled Group, Denied Access To Remote Desktop, Admin User RDP Remote Logon"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Python Opening Ports, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: LSASS Memory Dump, Lsass Access Through WinRM, Process Memory Dump Using Createdump, Credential Dumping Tools Service Execution, Mimikatz LSASS Memory Access, Suspicious CommandLine Lsassy Pattern, Unsigned Image Loaded Into LSASS Process, Credential Dumping-Tools Common Named Pipes, Password Dumper Activity On LSASS, Windows Credential Editor Registry Key, LSASS Access From Non System Account, LSASS Memory Dump File Creation, Load Of dbghelp/dbgcore DLL From Suspicious Process, Dumpert LSASS Process Dumper, Process Memory Dump Using Rdrleakdiag, Credential Dumping By LaZagne, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lsass Access Through WinRM, RDP Login From Localhost, Admin Share Access, Smbexec.py Service Installation, MMC Spawning Windows Shell, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, MMC20 Lateral Movement, Protected Storage Service Access, RDP Port Change Using Powershell, Denied Access To Remote Desktop, Lateral Movement Remote Named Pipe"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, GitLab CVE-2021-22205"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, AD Object WriteDAC Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Audit CVE Event, Antivirus Password Dumper Detection, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Antivirus Exploitation Framework Detection, Msdt (Follina) File Browse Process Execution, Antivirus Relevant File Paths Alerts, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Admin Share Access, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access, Lateral Movement Remote Named Pipe"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, DCSync Attack, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Antivirus Web Shell Detection, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Antivirus Web Shell Detection, PowerCat Function Loading"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, RedMimicry Winnti Playbook Dropped File, Copying Browser Files With Credentials, SAM Registry Hive Handle Request, Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, SSH Tunnel Traffic, SSH X11 Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, IcedID Execution Using Excel, HarfangLab EDR Critical Level Rule Detection, Exploit For CVE-2015-1641, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR High Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Creating Suspicious File, HarfangLab EDR Medium Threat, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Threat, HarfangLab EDR Critical Threat, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Spawning Script, HarfangLab EDR High Threat, Cobalt Strike Default Beacons Names, HarfangLab EDR Low Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, IcedID Execution Using Excel, HarfangLab EDR Critical Level Rule Detection, Exploit For CVE-2015-1641, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR High Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Creating Suspicious File, HarfangLab EDR Medium Threat, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Threat, HarfangLab EDR Critical Threat, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Spawning Script, HarfangLab EDR High Threat, Cobalt Strike Default Beacons Names, HarfangLab EDR Low Level Rule Detection"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname, TOR Usage Generic Rule"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: TUN/TAP Driver Installation, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Cisco Umbrella Threat Detected, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Remote Access Tool Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: SysKey Registry Keys Access, Suspicious Taskkill Command, Putty Sessions Listing, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, SSH Tunnel Traffic, Venom Multi-hop Proxy agent detection, SSH X11 Forwarding, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Svchost Modification, Security Support Provider (SSP) Added to LSA Configuration, Malware Persistence Registry Key, NjRat Registry Changes, Narrator Feedback-Hub Persistence, DLL Load via LSASS Registry Key, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Registry Key Used By Some Old Agent Tesla Samples, Autorun Keys Modification, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Metasploit PSExec Service Creation, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Windows Suspicious Service Creation, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smbexec.py Service Installation, Smss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Malicious Service Installations, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, Suspicious PsExec Execution, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, WMI Persistence Command Line Event Consumer, Svchost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Check Point Harmony Mobile Application Forbidden, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Lsass Wrong Parent, Microsoft Defender Antivirus Threat Detected, Wmiprvse Wrong Parent, SolarWinds Suspicious File Creation, Metasploit PSExec Service Creation, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Windows Suspicious Service Creation, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smbexec.py Service Installation, Smss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Malicious Service Installations, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, Suspicious PsExec Execution, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Winlogon wrong parent, Exfiltration Via Pscp, WMI Persistence Command Line Event Consumer, Svchost Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, NetNTLM Downgrade Attack, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable Workstation Lock, Remote Registry Management Using Reg Utility, Disable Security Events Logging Adding Reg Key MiniNt, Suspicious New Printer Ports In Registry, RDP Port Change Using Powershell, Blue Mockingbird Malware, FlowCloud Malware, Chafer (APT 39) Activity"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, xWizard Execution, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, MOFComp Execution, Suspicious Desktopimgdownldr Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, Dynwrapx Module Loading"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File, Credential Dumping-Tools Common Named Pipes, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account, Wdigest Enable UseLogonCredential, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, SAM Registry Hive Handle Request, Credential Dumping-Tools Common Named Pipes, Load Of dbghelp/dbgcore DLL From Suspicious Process, Mimikatz LSASS Memory Access, Lsass Access Through WinRM, Copying Browser Files With Credentials, NetNTLM Downgrade Attack, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, RedMimicry Winnti Playbook Dropped File, Unsigned Image Loaded Into LSASS Process, NTDS.dit File Interaction Through Command Line, Impacket Secretsdump.py Tool, LSASS Memory Dump, Active Directory Database Dump Via Ntdsutil, Transfering Files With Credential Data Via Network Shares, LSASS Access From Non System Account, Suspicious SAM Dump, DPAPI Domain Backup Key Extraction, Cred Dump Tools Dropped Files, Windows Credential Editor Registry Key, Rubeus Tool Command-line, LSASS Memory Dump File Creation, Malicious Service Installations, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Credential Dumping By LaZagne, Password Dumper Activity On LSASS, Mimikatz Basic Commands, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, DCSync Attack, Process Memory Dump Using Comsvcs, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, DPAPI Domain Backup Key Extraction, Credential Dumping-Tools Common Named Pipes, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Mimikatz LSASS Memory Access, Lsass Access Through WinRM, Credential Dumping Tools Service Execution, LSASS Access From Non System Account, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dumping By LaZagne, Credential Dumping-Tools Common Named Pipes, Password Dumper Activity On LSASS, Unsigned Image Loaded Into LSASS Process, Cred Dump Tools Dropped Files, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Suspicious CommandLine Lsassy Pattern, LSASS Memory Dump, LSASS Memory Dump File Creation, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent, Chafer (APT 39) Activity, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent, Blue Mockingbird Malware, Chafer (APT 39) Activity, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, Suspicious Windows DNS Queries, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Chafer (APT 39) Activity, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Malware Persistence Registry Key, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Registry Key Used By Some Old Agent Tesla Samples, Autorun Keys Modification, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Explorer Process Executing HTA File, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Hlai Engine Detection, Microsoft Office Spawning Script, HarfangLab EDR High Threat, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Level Rule Detection, Exploit For CVE-2015-1641, HarfangLab EDR Critical Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Explorer Process Executing HTA File, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Hlai Engine Detection, Microsoft Office Spawning Script, HarfangLab EDR High Threat, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Level Rule Detection, Exploit For CVE-2015-1641, HarfangLab EDR Critical Threat"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel, Microsoft Office Startup Add-In"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious PROCEXP152.sys File Created In Tmp, WMIC Uninstall Product, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Windows Defender Credential Guard, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Malware Protection Engine Crash, Disabled IE Security Features, Microsoft Defender Antivirus Disable Services, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable SecurityHealth, Windows Defender Deactivation Using PowerShell Script, Debugging Software Deactivation, Dism Disabling Windows Defender, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Exclusion Configuration, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Python Opening Ports, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspect Svchost Memory Access, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, WMIC Uninstall Product, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Ryuk Ransomware Command Line, Netsh Allow Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Windows Defender Credential Guard, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Tampering Detected, Disabled IE Security Features, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable SecurityHealth, Disable Security Events Logging Adding Reg Key MiniNt, Windows Defender Deactivation Using PowerShell Script, Debugging Software Deactivation, Dism Disabling Windows Defender, FLTMC command usage, Microsoft Defender Antivirus Exclusion Configuration, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Alternate PowerShell Hosts Pipe, Mustang Panda Dropper, Suspicious DLL Loaded Via Office Applications, MalwareBytes Uninstallation, WMI DLL Loaded Via Office, Microsoft Defender Antivirus Threat Detected, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, PowerShell Invoke Expression With Registry, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Exfiltration and Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, Phorpiex DriveMgr Command, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Aspnet Compiler, Mshta Suspicious Child Process, SquirrelWaffle Malspam Execution Loading DLL, Malicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Outlook Child Process, Turla Named Pipes, Suspicious PowerShell Invocations - Generic, PowerShell NTFS Alternate Data Stream, Powershell Web Request, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Lazarus Loaders, WMImplant Hack Tool, PowerShell Download From URL, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, QakBot Process Creation, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Scripting In A WMI Consumer, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor, In-memory PowerShell"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, WMI DLL Loaded Via Office, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, User Added to Local Administrators, Account Added To A Security Enabled Group, Denied Access To Remote Desktop, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Python Opening Ports, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, WMI Event Subscription, Suspicious Scripting In A WMI Consumer, Suspicious Netsh DLL Persistence, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, Hijack Legit RDP Session To Move Laterally, Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641, Audit CVE Event, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory User Backdoors, User Added to Local Administrators, Active Directory Replication User Backdoor, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Privileged AD Builtin Group Modified, Active Directory Delegate To KRBTGT Service"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, Invoke-TheHash Commandlets, WMI DLL Loaded Via Office, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: New Or Renamed User Account With '$' In Attribute 'SamAccountName', Explorer Wrong Parent, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Execution From Suspicious Folder, RTLO Character, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, CreateRemoteThread Common Process Injection, Wmiprvse Wrong Parent, Malicious Named Pipe, Taskhostw Wrong Parent, Cobalt Strike Named Pipes, Process Herpaderping, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Process Hollowing Detection, Taskhost Wrong Parent, Dynwrapx Module Loading, Svchost Wrong Parent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, GitLab CVE-2021-22205, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, StoneDrill Service Install, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Gpscript Suspicious Parent, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Cobalt Strike Default Service Creation Usage, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, APT29 Fake Google Update Service Install, Chafer (APT 39) Activity, Svchost Wrong Parent, OneNote Suspicious Children Process, Malicious Service Installations, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, WMI Persistence Command Line Event Consumer, Taskhostw Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, StoneDrill Service Install, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Gpscript Suspicious Parent, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Cobalt Strike Default Service Creation Usage, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, APT29 Fake Google Update Service Install, Chafer (APT 39) Activity, Svchost Wrong Parent, OneNote Suspicious Children Process, Malicious Service Installations, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, WMI Persistence Command Line Event Consumer, Taskhostw Wrong Parent"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Remote Registry Management Using Reg Utility, SysKey Registry Keys Access, Putty Sessions Listing"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Alternate PowerShell Hosts Pipe, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Mshta Suspicious Child Process, Malicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Turla Named Pipes, Suspicious PowerShell Invocations - Generic, PowerShell NTFS Alternate Data Stream, Powershell Web Request, WMImplant Hack Tool, PowerShell Download From URL, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, In-memory PowerShell"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Clear EventLogs Through CommandLine, Eventlog Cleared, Secure Deletion With SDelete, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal, ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery, Remote Privileged Group Enumeration, PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD User Enumeration, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Chafer (APT 39) Activity"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, AdFind Usage, Phosphorus Domain Controller Discovery, NlTest Usage, PowerView commandlets 1, Trickbot Malware Activity"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Register New Logon Process, Rubeus Tool Command-line, Suspicious Kerberos Ticket, Suspicious Outbound Kerberos Connection, Possible Replay Attack"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Login From Localhost, RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lsass Access Through WinRM, Protected Storage Service Access, Smbexec.py Service Installation, Admin Share Access, RDP Login From Localhost, MMC Spawning Windows Shell, Lateral Movement Remote Named Pipe, Denied Access To Remote Desktop, MMC20 Lateral Movement, Cobalt Strike Default Service Creation Usage, RDP Port Change Using Powershell, Remote Service Activity Via SVCCTL Named Pipe"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Network Connection Via Certutil, Pandemic Windows Implant"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Outlook Registry Access, Remote Registry Management Using Reg Utility, Opening Of a Password File"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Protected Storage Service Access, Smbexec.py Service Installation, Admin Share Access, Lateral Movement Remote Named Pipe, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Handle Failure, SCM Database Privileged Operation, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files, Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, DCSync Attack, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, AD Object WriteDAC Access"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression, Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, TUN/TAP Driver Installation, Powershell UploadString Function"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Audit CVE Event, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
index c88414c62e..e4f8447159 100644
--- a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, RTLO Character"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
index 95ad06ad97..11195ef13a 100644
--- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), TrevorC2 HTTP Communication, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cryptomining, TrevorC2 HTTP Communication, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
index 32c86a15dd..2d84a5cb95 100644
--- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Windows Update LolBins, Microsoft Defender Antivirus Threat Detected, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Exfiltration Via Pscp, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Cryptomining, Dynamic DNS Contacted, Suspicious Windows DNS Queries"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Trickbot Malware Activity, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Outlook Child Process, Lazarus Loaders, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Exploiting SetupComplete.cmd CVE-2019-1378, QakBot Process Creation, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, AMSI Deactivation Using Registry Key, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, FLTMC command usage, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, AMSI Deactivation Using Registry Key, Netsh Program Allowed With Suspicious Location, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Audit CVE Event, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Tampering Detected, Disabled IE Security Features, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, FLTMC command usage, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Smss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Microsoft Defender Antivirus Threat Detected, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, WMIC Uninstall Product, Phorpiex DriveMgr Command, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Outlook Child Process, Powershell Web Request, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, QakBot Process Creation, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Microsoft Defender Antivirus Threat Detected, Wmiprvse Wrong Parent, SolarWinds Suspicious File Creation, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Winlogon wrong parent, Exfiltration Via Pscp, Taskhostw Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Disable Workstation Lock, Blue Mockingbird Malware, FlowCloud Malware"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, MOFComp Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Sysmon Windows File Block Executable, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Microsoft Defender Antivirus Threat Detected, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Suspicious Outlook Child Process, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Sysmon Windows File Block Executable, Microsoft Office Spawning Script"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Audit CVE Event, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Pandemic Windows Implant"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Potential DNS Tunnel"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
index 9d2a94ea36..b8352f64e6 100644
--- a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
index 15d671ae81..6be3bbbcbc 100644
--- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Windows Installer Execution, CertOC Loading Dll, MavInject Process Injection, Suspicious Taskkill Command"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, PowerShell EncodedCommand, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Lazarus Loaders, MalwareBytes Uninstallation, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Python HTTP Server"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Raccine Uninstall, WMIC Uninstall Product, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Linux Bash Reverse Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Taskkill Command, WMIC Uninstall Product, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMIC Uninstall Product, Wmic Service Call, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
index 231694a8e8..c582e92fc5 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
index aa5561cdda..c4cfca62af 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ESET Protect [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Office Spawning Script, Aspnet Compiler, Suspicious Outlook Child Process, AutoIt3 Execution From Suspicious Folder, QakBot Process Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Suspicious Parent"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ESET Protect [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Suspicious Parent"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, QakBot Process Creation, AutoIt3 Execution From Suspicious Folder, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Aspnet Compiler"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Exploit For CVE-2015-1641, Microsoft Office Spawning Script"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
index 5f73f5cf47..3313a20bdb 100644
--- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
index 63c811b0f1..8cea47a461 100644
--- a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Koadic MSHTML Command, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
index 8f87a8df6b..30320593c0 100644
--- a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
index 65a2245179..a62b62fbaa 100644
--- a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
index 84f7840503..c28a7f3dc7 100644
--- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Windows Update LolBins, Microsoft Defender Antivirus Threat Detected, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Exfiltration Via Pscp, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Windows Suspicious Scheduled Task Creation, Cron Files Alteration, Schtasks Suspicious Parent"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, Autorun Keys Modification, Njrat Registry Values, RUN Registry Key Created From Suspicious Folder, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Trickbot Malware Activity, Python Offensive Tools and Packages, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Outlook Child Process, Lazarus Loaders, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Exploiting SetupComplete.cmd CVE-2019-1378, QakBot Process Creation, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, Ursnif Registry Key, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, AMSI Deactivation Using Registry Key, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Package Manager Alteration, FLTMC command usage, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, AMSI Deactivation Using Registry Key, Netsh Program Allowed With Suspicious Location, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, Cookies Deletion, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, IcedID Execution Using Excel, HarfangLab EDR Critical Level Rule Detection, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, HarfangLab EDR High Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Creating Suspicious File, HarfangLab EDR Medium Threat, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Threat, HarfangLab EDR Critical Threat, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Spawning Script, HarfangLab EDR High Threat, Cobalt Strike Default Beacons Names, HarfangLab EDR Low Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, IcedID Execution Using Excel, HarfangLab EDR Critical Level Rule Detection, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, HarfangLab EDR High Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Creating Suspicious File, HarfangLab EDR Medium Threat, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Threat, HarfangLab EDR Critical Threat, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Spawning Script, HarfangLab EDR High Threat, Cobalt Strike Default Beacons Names, HarfangLab EDR Low Level Rule Detection"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Tampering Detected, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, FLTMC command usage, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Smss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, Cron Files Alteration, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal, ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Microsoft Defender Antivirus Threat Detected, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, WMIC Uninstall Product, Phorpiex DriveMgr Command, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Aspnet Compiler, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Outlook Child Process, Powershell Web Request, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, QakBot Process Creation, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Windows Credential Editor Registry Key, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Microsoft Defender Antivirus Threat Detected, Wmiprvse Wrong Parent, SolarWinds Suspicious File Creation, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Winlogon wrong parent, Exfiltration Via Pscp, Taskhostw Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, OceanLotus Registry Activity, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Disable Workstation Lock, Blue Mockingbird Malware, FlowCloud Malware"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, MOFComp Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Python HTTP Server, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Explorer Process Executing HTA File, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Hlai Engine Detection, Microsoft Office Spawning Script, HarfangLab EDR High Threat, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Level Rule Detection, Exploit For CVE-2015-1641, HarfangLab EDR Critical Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Explorer Process Executing HTA File, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Hlai Engine Detection, Microsoft Office Spawning Script, HarfangLab EDR High Threat, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Level Rule Detection, Exploit For CVE-2015-1641, HarfangLab EDR Critical Threat"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Pandemic Windows Implant"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
index cb6cfc879b..86ae0e9d87 100644
--- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, Sekoia.io EICAR Detection, AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty High Severity Alert, Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
index 95b6e2edeb..5867dce0ac 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Detected, Sophos EDR Application Blocked, Sophos EDR CorePUA Detection, Download Files From Suspicious TLDs, Sophos EDR CorePUA Clean"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR CorePUA Clean, Sophos EDR CorePUA Detection, Download Files From Suspicious TLDs, Sophos EDR Application Detected, Sophos EDR Application Blocked"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
index ba959201c0..f77cba90c9 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
index 8c11169bda..c3d50b2fe3 100644
--- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
index 3dbca94265..6b146d6e53 100644
--- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Windows Update LolBins, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Exfiltration Via Pscp, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Cron Files Alteration, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Trickbot Malware Activity, Python Offensive Tools and Packages, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Outlook Child Process, Lazarus Loaders, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Exploiting SetupComplete.cmd CVE-2019-1378, QakBot Process Creation, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, AMSI Deactivation Using Registry Key, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Package Manager Alteration, FLTMC command usage, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, AMSI Deactivation Using Registry Key, Netsh Program Allowed With Suspicious Location, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Process Trace Alteration, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Sliver DNS Beaconing, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, FLTMC command usage, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Smss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, WMIC Uninstall Product, Phorpiex DriveMgr Command, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Aspnet Compiler, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Outlook Child Process, Powershell Web Request, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, QakBot Process Creation, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, WMI Persistence Command Line Event Consumer, Taskhostw Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Winlogon wrong parent, Exfiltration Via Pscp, WMI Persistence Command Line Event Consumer, Taskhostw Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Disable Workstation Lock, Blue Mockingbird Malware, FlowCloud Malware"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, DNS Tunnel Technique From MuddyWater, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Koadic MSHTML Command, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, MOFComp Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CertOC Loading Dll"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Microsoft Office Spawning Script"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, WMI Persistence Command Line Event Consumer, Taskhostw Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, WMI Persistence Command Line Event Consumer, Taskhostw Wrong Parent"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
index 179b988f58..67594a37c9 100644
--- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, AutoIt3 Execution From Suspicious Folder, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Terminate, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Interactive Terminal Spawned via Python, Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Cleaned, Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Terminate"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
index e70744170e..696cfee981 100644
--- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
index 14cde8824c..13e12b6bd4 100644
--- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
index 86a6578a07..60b41b0a29 100644
--- a/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tenable Identity Exposure / Alsid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Tenable Identity Exposure / Alsid Critical Severity Alert, Tenable Identity Exposure / Alsid High Severity Alert"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tenable Identity Exposure / Alsid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Tenable Identity Exposure / Alsid High Severity Alert, Tenable Identity Exposure / Alsid Critical Severity Alert"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
index 9b5382400d..5073bbad6d 100644
--- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, LokiBot Default C2 URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted, Suspicious Windows DNS Queries, LokiBot Default C2 URL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Dynamic DNS Contacted, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Koadic MSHTML Command, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
index 028c6cd0f6..0fd804b980 100644
--- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
index d297959c16..0b35172b65 100644
--- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Proofpoint TAP Email Classified As Phishing But Allowed, SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Malware But Allowed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Spam But Allowed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Proofpoint TAP Email Classified As Malware But Allowed, SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Spam But Allowed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
index 74d738bb85..70b41a65ed 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sesame it Jizo NDR [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sesame it Jizo NDR [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
index 52314036ce..f849f4d139 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
index 5e517de146..0cc3c68548 100644
--- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
index 84c2f59259..8d53d4a9c1 100644
--- a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
index 1910d81d1f..9e9410ba9e 100644
--- a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
index 1f3782f698..f2dc1187c9 100644
--- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
index 4f72b5e404..2c627e5dc0 100644
--- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Successful External Login, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, TrevorC2 HTTP Communication, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, TrevorC2 HTTP Communication"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure, Fortinet FortiGate Firewall Successful External Login"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Successful External Login, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Sliver DNS Beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Successful External Login, Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
index 9deeb58e66..977f5fb83d 100644
--- a/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Bitsight SPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Bitsight SPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
index 8a0a0274be..ce689515a5 100644
--- a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
index 86b93572f8..71d2c8f07a 100644
--- a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
index 3a29d0c34a..1ee8f71833 100644
--- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Interactive Terminal Spawned via Python, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Python Offensive Tools and Packages, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Elise Backdoor, Socat Relaying Socket, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Empire Monkey Activity, Suspicious Rundll32.exe Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled Service, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled Service, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process, Exfiltration Via Pscp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression, Cookies Deletion"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Disabled Service, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, SELinux Disabling, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disabled Service, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, SELinux Disabling, ETW Tampering, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, DNS Exfiltration and Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder, Interactive Terminal Spawned via Python, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Aspnet Compiler, PowerShell Malicious Nishang PowerShell Commandlets, Socat Relaying Socket, Powershell Web Request, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, Socat Reverse Shell Detection, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, SOCKS Tunneling Tool, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Potential DNS Tunnel"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
index 0d0bd58ac9..f48c5d66c6 100644
--- a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Windows Update LolBins, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Exfiltration Via Pscp, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Cron Files Alteration, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Trickbot Malware Activity, Python Offensive Tools and Packages, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Outlook Child Process, Lazarus Loaders, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Exploiting SetupComplete.cmd CVE-2019-1378, QakBot Process Creation, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Njrat Registry Values, Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Package Manager Alteration, FLTMC command usage, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Netsh Program Allowed With Suspicious Location, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Winword Document Droppers"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression, Cookies Deletion"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, FLTMC command usage, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Smss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Njrat Registry Values, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, WMIC Uninstall Product, Phorpiex DriveMgr Command, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Aspnet Compiler, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Outlook Child Process, Powershell Web Request, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, QakBot Process Creation, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, SolarWinds Suspicious File Creation, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Winlogon wrong parent, Exfiltration Via Pscp, Taskhostw Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, MOFComp Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CertOC Loading Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Suspicious Outlook Child Process, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Microsoft Office Spawning Script"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
index 1f2e7d5e56..3618b4acee 100644
--- a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, LokiBot Default C2 URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, TrevorC2 HTTP Communication, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
index 5fb9a998e5..f7371bbf73 100644
--- a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
index 5ef9400702..4a0b7ceac7 100644
--- a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
index 32bb1330e4..2086ecbce1 100644
--- a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
index 3bd7ad2ea6..d9b2862b14 100644
--- a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
index 8f83a91fa3..266f46cfcf 100644
--- a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
index c666f68168..737f9afa97 100644
--- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
index bedd8ae4d0..0925fa12ef 100644
--- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Windows Installer Execution, CertOC Loading Dll, MavInject Process Injection, Suspicious Taskkill Command"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, PowerShell EncodedCommand, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Lazarus Loaders, MalwareBytes Uninstallation, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Raccine Uninstall, WMIC Uninstall Product, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Linux Bash Reverse Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Taskkill Command, WMIC Uninstall Product, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMIC Uninstall Product, Wmic Service Call, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
index 1f88dbda02..78dc44429d 100644
--- a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
index 2f186db8b8..76e437ce5a 100644
--- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
index 5b2acf4aee..c4b009bd47 100644
--- a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
index 859acc1379..b6f05aeb2b 100644
--- a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
index 5dd1740906..0e23288c04 100644
--- a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
index 845492f45e..f941b2467d 100644
--- a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Python Offensive Tools and Packages, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Suspicious Control Process, Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Control Panel Items, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Exfiltration Via Pscp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Empire Monkey Activity"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Aspnet Compiler, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Windows Installer Execution, MavInject Process Injection, xWizard Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, Suspicious Control Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
index 8638691726..3e829025d3 100644
--- a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
index 9c8f910018..d1afaa55b5 100644
--- a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
index a2864bc1ea..6413b5523a 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
index 7a14df69a7..3faab21024 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Network Alert, Varonis Data Security Email Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Network Alert, Varonis Data Security Email Alert"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Network Alert, Varonis Data Security Email Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Network Alert, Varonis Data Security Email Alert"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
index 5b83ca6d2c..518383ef89 100644
--- a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
index 249810f138..876bf04e45 100644
--- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub High Risk Configuration Disabled, GitHub Outside Collaborator Detected, GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub New Organization Member"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub High Risk Configuration Disabled, GitHub Outside Collaborator Detected, GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub New Organization Member"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub New Organization Member, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub New Organization Member, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
index da6c99d085..9884fc7d83 100644
--- a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
index f4e35d1933..6e54af2b56 100644
--- a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
index b2672c30ff..af8546f431 100644
--- a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
index 7d3f264b86..69f1b46ebe 100644
--- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
index eda4d37d2a..d499b4a9ba 100644
--- a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
index 3580a9974e..5efcf9949e 100644
--- a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
index 91e703b579..d7b52e5cf8 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
index 6da67425fd..8eccb4f9f3 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, TEHTRIS EDR Alert, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Empire Monkey Activity, Suspicious Rundll32.exe Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: TEHTRIS EDR Alert, Usage Of Procdump With Common Arguments, PsExec Process, Exfiltration Via Pscp, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, TEHTRIS EDR Alert, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Aspnet Compiler, TEHTRIS EDR Alert, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: TEHTRIS EDR Alert, SolarWinds Suspicious File Creation, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, TEHTRIS EDR Alert, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
index b168b79702..a2a5e0affe 100644
--- a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
index 0f9c383335..a8d33ec1c1 100644
--- a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
index 33af7aa3ba..5c6a8ea2f0 100644
--- a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
index 458e157050..00e2177fa6 100644
--- a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
index 256a07e2c5..569230a232 100644
--- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, APT29 Fake Google Update Service Install, Gpscript Suspicious Parent, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Cobalt Strike Default Service Creation Usage, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Chafer (APT 39) Activity, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent, StoneDrill Service Install, Malicious Service Installations"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, APT29 Fake Google Update Service Install, Gpscript Suspicious Parent, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Cobalt Strike Default Service Creation Usage, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Chafer (APT 39) Activity, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent, StoneDrill Service Install, Malicious Service Installations"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Gpscript Suspicious Parent, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Suspicious PsExec Execution, Windows Suspicious Service Creation, Metasploit PSExec Service Creation, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, Credential Dumping Tools Service Execution, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Smbexec.py Service Installation, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent, Malicious Service Installations"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Gpscript Suspicious Parent, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Check Point Harmony Mobile Application Forbidden, Searchprotocolhost Child Found, Winword wrong parent, Suspicious PsExec Execution, Windows Update LolBins, Windows Suspicious Service Creation, Microsoft Defender Antivirus Threat Detected, Metasploit PSExec Service Creation, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, Credential Dumping Tools Service Execution, SolarWinds Wrong Child Process, Exfiltration Via Pscp, Lsass Wrong Parent, Csrss Child Found, Smbexec.py Service Installation, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Malicious Service Installations"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Malicious Named Pipe, Smss Wrong Parent, Process Hollowing Detection, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Process Herpaderping, Searchindexer Wrong Parent, Cobalt Strike Named Pipes, Dynwrapx Module Loading, Spoolsv Wrong Parent, Svchost Wrong Parent, CreateRemoteThread Common Process Injection, Wmiprvse Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Suspicious Scripting In A WMI Consumer, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, WMI Event Subscription, Sticky Key Like Backdoor Usage, Component Object Model Hijacking"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Chafer (APT 39) Activity, Sliver DNS Beaconing, Nimbo-C2 User Agent, Cryptomining, Python HTTP Server, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, Suspicious LDAP-Attributes Used, Dynamic DNS Contacted, Suspicious Windows DNS Queries"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, STRRAT Scheduled Task, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Windows Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Registry Key Used By Some Old Agent Tesla Samples, Ryuk Ransomware Persistence Registry Key, Narrator Feedback-Hub Persistence, Malware Persistence Registry Key, Svchost Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, DLL Load via LSASS Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Ryuk Ransomware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, Narrator Feedback-Hub Persistence, Suspicious desktop.ini Action, Malware Persistence Registry Key, Svchost Modification"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, Werfault DLL Injection, DNS ServerLevelPluginDll Installation, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, Windows Registry Persistence COM Search Order Hijacking, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Werfault DLL Injection, Suspicious DLL side loading from ProgramData, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Replication User Backdoor, Active Directory Delegate To KRBTGT Service, Add User to Privileged Group, Enabling Restricted Admin Mode, Mimikatz Basic Commands, Privileged AD Builtin Group Modified, User Added to Local Administrators, Active Directory User Backdoors, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed, GPO Executable Delivery"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line, Kerberos Pre-Auth Disabled in UAC, Suspicious Kerberos Ticket, Rubeus Register New Logon Process, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, Invoke-TheHash Commandlets, WMIC Uninstall Product, Impacket Wmiexec Module, WMI DLL Loaded Via Office, WMImplant Hack Tool, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Malspam Execution Registering Malicious DLL, Suspicious CodePage Switch with CHCP, Suspicious DLL Loaded Via Office Applications, WMI DLL Loaded Via Office, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, PowerShell Malicious PowerShell Commandlets, Mustang Panda Dropper, PowerShell Download From URL, Suspicious DLL Loaded Via Office Applications, PowerShell NTFS Alternate Data Stream, Trickbot Malware Activity, Suspicious Scripting In A WMI Consumer, FromBase64String Command Line, Alternate PowerShell Hosts Pipe, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Credential Prompt, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Outlook Child Process, Lazarus Loaders, PowerShell Invoke Expression With Registry, MalwareBytes Uninstallation, Detection of default Mimikatz banner, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Venom Multi-hop Proxy agent detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, Suspicious PowerShell Keywords, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Malicious PowerShell Keywords, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Generic, Powershell Web Request, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, In-memory PowerShell, PowerShell Downgrade Attack, QakBot Process Creation, Suspicious XOR Encoded PowerShell Command Line, Turla Named Pipes, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 1, PowerView commandlets 2, SCM Database Privileged Operation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, AD Privileged Users Or Groups Reconnaissance, Remote Privileged Group Enumeration, PowerView commandlets 2, Active Directory Data Export Using Csvde, PowerView commandlets 1, AD User Enumeration"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, PowerView commandlets 2, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 1, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, OceanLotus Registry Activity, DHCP Callout DLL Installation, Suspicious Desktopimgdownldr Execution, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Chafer (APT 39) Activity, Ursnif Registry Key, Remote Registry Management Using Reg Utility, Suspicious New Printer Ports In Registry, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock, Wdigest Enable UseLogonCredential, NetNTLM Downgrade Attack, RDP Port Change Using Powershell, DNS ServerLevelPluginDll Installation, FlowCloud Malware"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, RTLO Character, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Possible Malicious File Double Extension, Execution From Suspicious Folder, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Ryuk Ransomware Command Line, Fail2ban Unban IP, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious PROCEXP152.sys File Created In Tmp, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Malware Protection Engine Crash, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Disable Windows Defender Credential Guard, Raccine Uninstall, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, AMSI Deactivation Using Registry Key, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, TrustedInstaller Impersonation, Dism Disabling Windows Defender, Windows Defender Deactivation Using PowerShell Script, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Ryuk Ransomware Command Line, Fail2ban Unban IP, Clear EventLogs Through CommandLine, FLTMC command usage, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious PROCEXP152.sys File Created In Tmp, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Microsoft Defender Antivirus Exclusion Configuration, Disable Task Manager Through Registry Key, Microsoft Malware Protection Engine Crash, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Configuration Changed, Raccine Uninstall, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Powershell AMSI Bypass, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, AMSI Deactivation Using Registry Key, Netsh Program Allowed With Suspicious Location, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Suspect Svchost Memory Access, Python Opening Ports, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, TrustedInstaller Impersonation, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Defender Deactivation Using PowerShell Script, Disable Security Events Logging Adding Reg Key MiniNt, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Services, Windows Firewall Changes"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Suspicious Desktopimgdownldr Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, MOFComp Execution, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Dynwrapx Module Loading, Suspicious Rundll32.exe Execution, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Certify Or Certipy, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Lsass Access Through WinRM, Impacket Secretsdump.py Tool, Rubeus Tool Command-line, SAM Registry Hive Handle Request, Active Directory Database Dump Via Ntdsutil, Credential Dumping By LaZagne, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, NetNTLM Downgrade Attack, Credential Dumping-Tools Common Named Pipes, Mimikatz Basic Commands, Copying Browser Files With Credentials, Transfering Files With Credential Data Via Network Shares, Windows Credential Editor Registry Key, LSASS Access From Non System Account, DPAPI Domain Backup Key Extraction, RedMimicry Winnti Playbook Dropped File, Suspicious CommandLine Lsassy Pattern, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump File Creation, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Dumpert LSASS Process Dumper, HackTools Suspicious Names, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cred Dump Tools Dropped Files, Active Directory Replication from Non Machine Account, LSASS Memory Dump, Process Memory Dump Using Createdump, Credential Dumping Tools Service Execution, Mimikatz LSASS Memory Access, Password Dumper Activity On LSASS, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Suspicious SAM Dump, Wdigest Enable UseLogonCredential, Process Trace Alteration, DCSync Attack, Process Memory Dump Using Rdrleakdiag, Malicious Service Installations"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Eventlog Cleared, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, Secure Deletion With SDelete, Cookies Deletion, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Secure Deletion With SDelete, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Invoke-TheHash Commandlets, PowerShell Malicious PowerShell Commandlets, PowerShell Download From URL, PowerShell NTFS Alternate Data Stream, FromBase64String Command Line, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Credential Prompt, Microsoft Defender Antivirus Disabled Base64 Encoded, Detection of default Mimikatz banner, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PowerShell Keywords, Malicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Generic, Powershell Web Request, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, In-memory PowerShell, Suspicious XOR Encoded PowerShell Command Line, Turla Named Pipes, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, User Added to Local Administrators, Account Added To A Security Enabled Group, Denied Access To Remote Desktop, Admin User RDP Remote Logon"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Python Opening Ports, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: LSASS Memory Dump, Lsass Access Through WinRM, Process Memory Dump Using Createdump, Credential Dumping Tools Service Execution, Mimikatz LSASS Memory Access, Suspicious CommandLine Lsassy Pattern, Unsigned Image Loaded Into LSASS Process, Credential Dumping-Tools Common Named Pipes, Password Dumper Activity On LSASS, Windows Credential Editor Registry Key, LSASS Access From Non System Account, LSASS Memory Dump File Creation, Load Of dbghelp/dbgcore DLL From Suspicious Process, Dumpert LSASS Process Dumper, Process Memory Dump Using Rdrleakdiag, Credential Dumping By LaZagne, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lsass Access Through WinRM, RDP Login From Localhost, Admin Share Access, Smbexec.py Service Installation, MMC Spawning Windows Shell, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, MMC20 Lateral Movement, Protected Storage Service Access, RDP Port Change Using Powershell, Denied Access To Remote Desktop, Lateral Movement Remote Named Pipe"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, AD Object WriteDAC Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Audit CVE Event, Antivirus Password Dumper Detection, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Antivirus Exploitation Framework Detection, Msdt (Follina) File Browse Process Execution, Antivirus Relevant File Paths Alerts, Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Admin Share Access, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access, Lateral Movement Remote Named Pipe"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, DCSync Attack, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process, Antivirus Web Shell Detection, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process, Antivirus Web Shell Detection, PowerCat Function Loading"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, RedMimicry Winnti Playbook Dropped File, Copying Browser Files With Credentials, SAM Registry Hive Handle Request, Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, IcedID Execution Using Excel, HarfangLab EDR Critical Level Rule Detection, Exploit For CVE-2015-1641, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR High Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Creating Suspicious File, HarfangLab EDR Medium Threat, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Threat, HarfangLab EDR Critical Threat, Download Files From Suspicious TLDs, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Spawning Script, Download Files From Non-Legitimate TLDs, HarfangLab EDR High Threat, Cobalt Strike Default Beacons Names, HarfangLab EDR Low Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, IcedID Execution Using Excel, HarfangLab EDR Critical Level Rule Detection, Exploit For CVE-2015-1641, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR High Level Rule Detection, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Creating Suspicious File, HarfangLab EDR Medium Threat, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Threat, Download Files From Suspicious TLDs, HarfangLab EDR Critical Threat, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Spawning Script, Download Files From Non-Legitimate TLDs, HarfangLab EDR High Threat, Cobalt Strike Default Beacons Names, HarfangLab EDR Low Level Rule Detection"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname, TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: TUN/TAP Driver Installation, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Remote Access Tool Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: SysKey Registry Keys Access, Suspicious Taskkill Command, Putty Sessions Listing, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All, AD Object WriteDAC Access"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious PROCEXP152.sys File Created In Tmp, WMIC Uninstall Product, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Windows Defender Credential Guard, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Malware Protection Engine Crash, Disabled IE Security Features, Microsoft Defender Antivirus Disable Services, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable SecurityHealth, Windows Defender Deactivation Using PowerShell Script, Debugging Software Deactivation, Dism Disabling Windows Defender, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Exclusion Configuration, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Python Opening Ports, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspect Svchost Memory Access, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, WMIC Uninstall Product, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Ryuk Ransomware Command Line, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Windows Defender Credential Guard, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Tampering Detected, Disabled IE Security Features, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable SecurityHealth, Disable Security Events Logging Adding Reg Key MiniNt, Windows Defender Deactivation Using PowerShell Script, Debugging Software Deactivation, Dism Disabling Windows Defender, FLTMC command usage, Microsoft Defender Antivirus Exclusion Configuration, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, CreateRemoteThread Common Process Injection, Searchprotocolhost Wrong Parent, Process Hollowing Detection, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Process Herpaderping, Smss Wrong Parent, Malicious Named Pipe, Svchost Wrong Parent, Spoolsv Wrong Parent, Cobalt Strike Named Pipes, Dynwrapx Module Loading, Taskhostw Wrong Parent"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Remote Registry Management Using Reg Utility, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, Hijack Legit RDP Session To Move Laterally, Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Svchost Modification, Security Support Provider (SSP) Added to LSA Configuration, Malware Persistence Registry Key, NjRat Registry Changes, Narrator Feedback-Hub Persistence, DLL Load via LSASS Registry Key, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Registry Key Used By Some Old Agent Tesla Samples, Autorun Keys Modification, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory User Backdoors, User Added to Local Administrators, Active Directory Replication User Backdoor, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Privileged AD Builtin Group Modified, Add User to Privileged Group, Active Directory Delegate To KRBTGT Service"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, Eventlog Cleared, Secure Deletion With SDelete, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal, ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Alternate PowerShell Hosts Pipe, Mustang Panda Dropper, Suspicious DLL Loaded Via Office Applications, MalwareBytes Uninstallation, WMI DLL Loaded Via Office, Microsoft Defender Antivirus Threat Detected, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Exfiltration and Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, AutoIt3 Execution From Suspicious Folder, FromBase64String Command Line, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, Phorpiex DriveMgr Command, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Aspnet Compiler, Mshta Suspicious Child Process, SquirrelWaffle Malspam Execution Loading DLL, Malicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Outlook Child Process, Turla Named Pipes, Suspicious PowerShell Invocations - Generic, PowerShell NTFS Alternate Data Stream, Powershell Web Request, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Lazarus Loaders, WMImplant Hack Tool, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, QakBot Process Creation, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Scripting In A WMI Consumer, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor, In-memory PowerShell"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account, Wdigest Enable UseLogonCredential, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, SAM Registry Hive Handle Request, Credential Dumping-Tools Common Named Pipes, Load Of dbghelp/dbgcore DLL From Suspicious Process, Mimikatz LSASS Memory Access, Process Trace Alteration, Lsass Access Through WinRM, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, NetNTLM Downgrade Attack, Copying Sensitive Files With Credential Data, RedMimicry Winnti Playbook Dropped File, Unsigned Image Loaded Into LSASS Process, NTDS.dit File Interaction Through Command Line, Impacket Secretsdump.py Tool, LSASS Memory Dump, Active Directory Database Dump Via Ntdsutil, Transfering Files With Credential Data Via Network Shares, LSASS Access From Non System Account, Suspicious SAM Dump, DPAPI Domain Backup Key Extraction, Cred Dump Tools Dropped Files, Windows Credential Editor Registry Key, Rubeus Tool Command-line, LSASS Memory Dump File Creation, Malicious Service Installations, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Cmdkey Cached Credentials Recon, Credential Dumping By LaZagne, Password Dumper Activity On LSASS, Mimikatz Basic Commands, HackTools Suspicious Names, Suspicious CommandLine Lsassy Pattern, DCSync Attack, Process Memory Dump Using Comsvcs, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Metasploit PSExec Service Creation, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Windows Suspicious Service Creation, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smbexec.py Service Installation, Smss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Malicious Service Installations, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, Suspicious PsExec Execution, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, WMI Persistence Command Line Event Consumer, Svchost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Check Point Harmony Mobile Application Forbidden, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Lsass Wrong Parent, Microsoft Defender Antivirus Threat Detected, Wmiprvse Wrong Parent, SolarWinds Suspicious File Creation, Metasploit PSExec Service Creation, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Gpscript Suspicious Parent, Windows Suspicious Service Creation, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smbexec.py Service Installation, Smss Wrong Parent, Winrshost Wrong Parent, Taskhostw Wrong Parent, OneNote Suspicious Children Process, Malicious Service Installations, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, Suspicious PsExec Execution, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Winlogon wrong parent, Exfiltration Via Pscp, WMI Persistence Command Line Event Consumer, Svchost Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key, NetNTLM Downgrade Attack, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Wdigest Enable UseLogonCredential, Disable Workstation Lock, Remote Registry Management Using Reg Utility, Disable Security Events Logging Adding Reg Key MiniNt, Suspicious New Printer Ports In Registry, RDP Port Change Using Powershell, Blue Mockingbird Malware, FlowCloud Malware, Chafer (APT 39) Activity"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, xWizard Execution, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, MOFComp Execution, Suspicious Desktopimgdownldr Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, Dynwrapx Module Loading"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File, Credential Dumping-Tools Common Named Pipes, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, DPAPI Domain Backup Key Extraction, Credential Dumping-Tools Common Named Pipes, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Mimikatz LSASS Memory Access, Lsass Access Through WinRM, Credential Dumping Tools Service Execution, LSASS Access From Non System Account, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Credential Dumping By LaZagne, Credential Dumping-Tools Common Named Pipes, Password Dumper Activity On LSASS, Unsigned Image Loaded Into LSASS Process, Cred Dump Tools Dropped Files, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Suspicious CommandLine Lsassy Pattern, LSASS Memory Dump, LSASS Memory Dump File Creation, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent, Chafer (APT 39) Activity, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent, Blue Mockingbird Malware, Chafer (APT 39) Activity, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Python HTTP Server, TrevorC2 HTTP Communication, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Covenant Default HTTP Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Chafer (APT 39) Activity, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Svchost Modification, Malware Persistence Registry Key, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Registry Key Used By Some Old Agent Tesla Samples, Autorun Keys Modification, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Hlai Engine Detection, Microsoft Office Spawning Script, HarfangLab EDR High Threat, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Level Rule Detection, Exploit For CVE-2015-1641, HarfangLab EDR Critical Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Low Threat, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Hlai Engine Detection, Microsoft Office Spawning Script, HarfangLab EDR High Threat, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Level Rule Detection, Exploit For CVE-2015-1641, HarfangLab EDR Critical Threat"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel, Microsoft Office Startup Add-In"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, WMI DLL Loaded Via Office, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Microsoft Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, User Added to Local Administrators, Account Added To A Security Enabled Group, Denied Access To Remote Desktop, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Python Opening Ports, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, WMI Event Subscription, Suspicious Scripting In A WMI Consumer, Suspicious Netsh DLL Persistence, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Audit CVE Event, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, Invoke-TheHash Commandlets, WMI DLL Loaded Via Office, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: New Or Renamed User Account With '$' In Attribute 'SamAccountName', Explorer Wrong Parent, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Execution From Suspicious Folder, RTLO Character, Formbook Hijacked Process Command, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, GitLab CVE-2021-22205, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, StoneDrill Service Install, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Gpscript Suspicious Parent, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Cobalt Strike Default Service Creation Usage, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, APT29 Fake Google Update Service Install, Chafer (APT 39) Activity, Svchost Wrong Parent, OneNote Suspicious Children Process, Malicious Service Installations, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, WMI Persistence Command Line Event Consumer, Taskhostw Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, StoneDrill Service Install, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Gpscript Suspicious Parent, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Cobalt Strike Default Service Creation Usage, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, APT29 Fake Google Update Service Install, Chafer (APT 39) Activity, Svchost Wrong Parent, OneNote Suspicious Children Process, Malicious Service Installations, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, WMI Persistence Command Line Event Consumer, Taskhostw Wrong Parent"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Remote Registry Management Using Reg Utility, SysKey Registry Keys Access, Putty Sessions Listing"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Alternate PowerShell Hosts Pipe, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Mshta Suspicious Child Process, Malicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Turla Named Pipes, Suspicious PowerShell Invocations - Generic, PowerShell NTFS Alternate Data Stream, Powershell Web Request, WMImplant Hack Tool, PowerShell Download From URL, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, In-memory PowerShell"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery, Remote Privileged Group Enumeration, PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD User Enumeration, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Chafer (APT 39) Activity"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer, Net.exe User Account Creation, User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Suspicious Hostname, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, AdFind Usage, Phosphorus Domain Controller Discovery, NlTest Usage, PowerView commandlets 1, Trickbot Malware Activity"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Register New Logon Process, Rubeus Tool Command-line, Suspicious Kerberos Ticket, Suspicious Outbound Kerberos Connection, Possible Replay Attack"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Login From Localhost, RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lsass Access Through WinRM, Protected Storage Service Access, Smbexec.py Service Installation, Admin Share Access, RDP Login From Localhost, MMC Spawning Windows Shell, Lateral Movement Remote Named Pipe, Denied Access To Remote Desktop, MMC20 Lateral Movement, Cobalt Strike Default Service Creation Usage, RDP Port Change Using Powershell, Remote Service Activity Via SVCCTL Named Pipe"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Network Connection Via Certutil, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Protected Storage Service Access, Smbexec.py Service Installation, Admin Share Access, Lateral Movement Remote Named Pipe, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Handle Failure, SCM Database Privileged Operation, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files, Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, DCSync Attack, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression, Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, TUN/TAP Driver Installation, Powershell UploadString Function, Potential DNS Tunnel"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Audit CVE Event, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
index fd14eba111..63e367d99a 100644
--- a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Suspicious Control Process, Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Control Panel Items, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Exfiltration Via Pscp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Empire Monkey Activity"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Aspnet Compiler, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Windows Installer Execution, MavInject Process Injection, xWizard Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, Suspicious Control Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
index cd5bcc7c97..f43b35f478 100644
--- a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Darktrace Threat Visualizer", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Darktrace Threat Visualizer", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
index bbaaf0db0c..38209f22fb 100644
--- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
index 889585a2d4..530f6eb7d0 100644
--- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Trickbot Malware Activity, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Outlook Child Process, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Exploiting SetupComplete.cmd CVE-2019-1378, QakBot Process Creation, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, FLTMC command usage, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, Netsh Program Allowed With Suspicious Location, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, PsExec Process, Rare Logonui Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Winword wrong parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, PsExec Process, Rare Logonui Child Found, SolarWinds Wrong Child Process, Exfiltration Via Pscp, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Winword wrong parent, SolarWinds Suspicious File Creation, Windows Update LolBins"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, New Service Creation, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Winword wrong parent, Explorer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, SolarWinds Wrong Child Process, New Service Creation, Rare Lsass Child Found, Csrss Child Found, Searchprotocolhost Child Found, Winword wrong parent, Explorer Wrong Parent"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, FlowCloud Malware, OceanLotus Registry Activity, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Winword Document Droppers"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Autorun Keys Modification"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, FLTMC command usage, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Phorpiex DriveMgr Command, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Outlook Child Process, Powershell Web Request, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, QakBot Process Creation, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, FlowCloud Malware"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, MOFComp Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Suspicious Outlook Child Process, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Microsoft Office Spawning Script"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winword wrong parent, Searchprotocolhost Child Found, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, PsExec Process, Rare Lsass Child Found, Rare Logonui Child Found, Suspicious DNS Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winword wrong parent, Searchprotocolhost Child Found, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, PsExec Process, Rare Lsass Child Found, Rare Logonui Child Found, Suspicious DNS Child Process, Windows Update LolBins, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Rare Logonui Child Found, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Rare Logonui Child Found, New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Pandemic Windows Implant"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Potential DNS Tunnel"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
index ccd0da87dc..dee59847a3 100644
--- a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, Autorun Keys Modification, Njrat Registry Values, RUN Registry Key Created From Suspicious Folder, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Python Offensive Tools and Packages, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, Ursnif Registry Key, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Suspicious Control Process, Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Control Panel Items, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Usage Of Sysinternals Tools, Exfiltration Via Pscp, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Empire Monkey Activity"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Cobalt Strike Default Beacons Names, Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression, Cookies Deletion"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Aspnet Compiler, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Exfiltration Via Pscp"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, OceanLotus Registry Activity, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Disable Workstation Lock, Blue Mockingbird Malware, FlowCloud Malware"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Windows Installer Execution, MavInject Process Injection, xWizard Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, Suspicious Control Process"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Pandemic Windows Implant"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity)"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
index d48df5bd73..8781027640 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
index c44f2de571..6c0dd76667 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Cybereason EDR Alert"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process, Cybereason EDR Alert"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cybereason EDR Alert, Aspnet Compiler"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Cybereason EDR Alert"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Aspnet Compiler, Cybereason EDR Alert"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Cybereason EDR Alert"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
index 4c003974b6..221f120ff9 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
index 631ecbf8a4..fa31b79ed0 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, TrevorC2 HTTP Communication, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
index f97c5652b5..865cfb6d5d 100644
--- a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Windows Installer Execution, CertOC Loading Dll, MavInject Process Injection, Suspicious Taskkill Command"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Change Default File Association, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, PowerShell EncodedCommand, PowerShell Commands Invocation, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Lazarus Loaders, MalwareBytes Uninstallation, Linux Bash Reverse Shell, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Potential LokiBot User-Agent, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Nimbo-C2 User Agent, Cryptomining, LokiBot Default C2 URL, Python HTTP Server, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Potential DNS Tunnel"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Debugging Software Deactivation, Raccine Uninstall, WMIC Uninstall Product, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Disabled IE Security Features, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Linux Bash Reverse Shell, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Taskkill Command, WMIC Uninstall Product, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Phorpiex DriveMgr Command, PowerShell Commands Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Taskkill Command, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMIC Uninstall Product, Wmic Service Call, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Potential DNS Tunnel"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Dynamic DNS Contacted, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Python HTTP Server, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
index 82fb4fb7f7..593153edf9 100644
--- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
index 29a4ee2dd6..dd3c3ea3a2 100644
--- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
index 6007d7633c..e95e0aaa62 100644
--- a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Olfeo secure web gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Olfeo secure web gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
index 74ae9ccc73..5191a01e50 100644
--- a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Covenant Default HTTP Beaconing, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
index 22438f0a42..e6d995f133 100644
--- a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Key Vault [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Key Vault [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
index cce63b228a..0e3882a751 100644
--- a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
index 3d158b8f85..ce324f162a 100644
--- a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, PsExec Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
index a3e97702ab..9f956f83b1 100644
--- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Python Offensive Tools and Packages, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Suspicious Control Process, Mshta JavaScript Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, Control Panel Items, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, CertOC Loading Dll, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process, Exfiltration Via Pscp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Empire Monkey Activity"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression, Cookies Deletion"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Cloud One High Intrusion, Trend Micro Cloud One Medium Intrusion, Trend Micro Cloud One Low Intrusion"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, ETW Tampering, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Aspnet Compiler, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, CMSTP Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Windows Installer Execution, MavInject Process Injection, xWizard Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, CertOC Loading Dll, Suspicious Regasm Regsvcs Usage, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, Suspicious Control Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Cloud One Medium Intrusion, Trend Micro Cloud One High Intrusion, Trend Micro Cloud One Low Intrusion"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
index 9252bcc9ca..5914109ae8 100644
--- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
index 753f241651..06932d2687 100644
--- a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Trellix Network Security Threat Blocked, SEKOIA.IO Intelligence Feed, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Trellix Network Security Threat Notified, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Trellix Network Security Threat Blocked, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Trellix Network Security Threat Notified"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
index 8e36a0d65d..6f18a1a23e 100644
--- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Gatewatcher AionIQ Malware Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Gatewatcher AionIQ Malware Alert"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cryptomining, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
index 77e144e6ad..5f57105995 100644
--- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
index c3e6bdd3ad..796edde3ff 100644
--- a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
index 2bd9b18a9f..2b35c43879 100644
--- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Chafer (APT 39) Activity, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Chafer (APT 39) Activity, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Windows Update LolBins, Microsoft Defender Antivirus Threat Detected, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Exfiltration Via Pscp, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Sliver DNS Beaconing, Cryptomining, Dynamic DNS Contacted, Suspicious Windows DNS Queries"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Cron Files Alteration, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, Invoke-TheHash Commandlets, WMIC Uninstall Product, Impacket Wmiexec Module, WMImplant Hack Tool, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Interactive Terminal Spawned via Python, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Invoke-TheHash Commandlets, PowerShell Malicious PowerShell Commandlets, PowerShell Download From URL, PowerShell NTFS Alternate Data Stream, Trickbot Malware Activity, Python Offensive Tools and Packages, FromBase64String Command Line, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Credential Prompt, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Outlook Child Process, Lazarus Loaders, PowerShell Invoke Expression With Registry, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, Suspicious PowerShell Keywords, Phorpiex DriveMgr Command, Elise Backdoor, Socat Relaying Socket, Suspicious VBS Execution Parameter, Malicious PowerShell Keywords, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Generic, Powershell Web Request, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, PowerShell Downgrade Attack, QakBot Process Creation, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, PowerView commandlets 1, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, PowerView commandlets 2, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 1, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, Chafer (APT 39) Activity, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, RTLO Character, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, AMSI Deactivation Using Registry Key, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Disabled Service, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, TrustedInstaller Impersonation, Dism Disabling Windows Defender, Windows Defender Deactivation Using PowerShell Script, Netsh Port Opening, Netsh RDP Port Forwarding, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Package Manager Alteration, FLTMC command usage, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Powershell AMSI Bypass, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, AMSI Deactivation Using Registry Key, Netsh Program Allowed With Suspicious Location, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Disabled Service, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, TrustedInstaller Impersonation, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Defender Deactivation Using PowerShell Script, Netsh Port Opening, Netsh RDP Port Forwarding, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Services, Windows Firewall Changes"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Invoke-TheHash Commandlets, PowerShell Malicious PowerShell Commandlets, PowerShell Download From URL, PowerShell NTFS Alternate Data Stream, FromBase64String Command Line, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Credential Prompt, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Invoke Expression With Registry, Suspicious Taskkill Command, Suspicious PowerShell Keywords, Malicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Generic, Powershell Web Request, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Tampering - Suspicious Failed Logon Reasons, Admin User RDP Remote Logon, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, Cookies Deletion, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Register New Logon Process, Rubeus Tool Command-line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Reverse Shell Detection, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Program Allowed With Suspicious Location, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Antivirus Relevant File Paths Alerts, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Login From Localhost, MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Antivirus Relevant File Paths Alerts, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Disabled Service, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Package Manager Alteration, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, SELinux Disabling, Microsoft Defender Antivirus Disable Services, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable SecurityHealth, Windows Defender Deactivation Using PowerShell Script, Debugging Software Deactivation, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disabled Service, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Package Manager Alteration, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Tampering Detected, Disabled IE Security Features, SELinux Disabling, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable SecurityHealth, Windows Defender Deactivation Using PowerShell Script, Debugging Software Deactivation, Dism Disabling Windows Defender, FLTMC command usage, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Microsoft Defender Antivirus Threat Detected, PowerShell Malicious PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, PowerShell Invoke Expression With Registry, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Exfiltration and Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, AutoIt3 Execution From Suspicious Folder, Interactive Terminal Spawned via Python, FromBase64String Command Line, WMIC Uninstall Product, Suspicious XOR Encoded PowerShell Command Line, Phorpiex DriveMgr Command, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Aspnet Compiler, Mshta Suspicious Child Process, SquirrelWaffle Malspam Execution Loading DLL, Malicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Socat Relaying Socket, Suspicious Outlook Child Process, Suspicious PowerShell Invocations - Generic, PowerShell NTFS Alternate Data Stream, Powershell Web Request, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Lazarus Loaders, WMImplant Hack Tool, PowerShell Download From URL, Generic-reverse-shell-oneliner, Socat Reverse Shell Detection, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, QakBot Process Creation, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, SOCKS Tunneling Tool, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Smss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, Chafer (APT 39) Activity"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, Autorun Keys Modification"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Enabling Restricted Admin Mode, SSH Authorized Key Alteration, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, High Privileges Network Share Removal, ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Windows Credential Editor Registry Key, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Microsoft Defender Antivirus Threat Detected, Wmiprvse Wrong Parent, SolarWinds Suspicious File Creation, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Winlogon wrong parent, Exfiltration Via Pscp, Taskhostw Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Disable Workstation Lock, Blue Mockingbird Malware, FlowCloud Malware, Chafer (APT 39) Activity"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, MOFComp Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Chafer (APT 39) Activity"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, Suspicious Windows DNS Queries, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Chafer (APT 39) Activity"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Sysmon Windows File Block Executable, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Microsoft Defender Antivirus Threat Detected, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Suspicious Outlook Child Process, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Sysmon Windows File Block Executable, Microsoft Office Spawning Script"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, WMImplant Hack Tool, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Chafer (APT 39) Activity, Taskhostw Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Winrshost Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Chafer (APT 39) Activity, Taskhostw Wrong Parent"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Malicious PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Keywords, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Invoke Expression With Registry, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Mshta Suspicious Child Process, Malicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Generic, PowerShell NTFS Alternate Data Stream, Powershell Web Request, WMImplant Hack Tool, PowerShell Download From URL, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing, Chafer (APT 39) Activity"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, AdFind Usage, Phosphorus Domain Controller Discovery, NlTest Usage, PowerView commandlets 1, Trickbot Malware Activity"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 1"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, RDP Login From Localhost, MMC Spawning Windows Shell"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Pandemic Windows Implant"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Potential DNS Tunnel"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
index d3a8d18bac..5857d76395 100644
--- a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
index 08f0b7c4a2..d91f096d6c 100644
--- a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
index 451ced834f..ceaa6e2a99 100644
--- a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json
index b97432d405..87bfd9b00d 100644
--- a/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cyberwatch Detection", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cyberwatch Detection", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
index 18c3972a58..7e626766b1 100644
--- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS New Country, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Microsoft 365 Device Code Authentication, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Suspicious Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Suspicious Double Extension, Possible Malicious File Double Extension, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS New Country, Download Files From Suspicious TLDs, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) MCAS Risky IP, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Suspicious Email Attachment Received, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Safe Attachment Rule Disabled"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) DLP Policy Removed, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Mass Download By A Single User, Suspicious Double Extension, Suspicious Email Attachment Received, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, SEKOIA.IO Intelligence Feed, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert, Possible Malicious File Double Extension, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) AtpDetection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) DLP Policy Removed, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) AtpDetection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
index a84b8d50ff..89dce09175 100644
--- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
index a5a85713b9..3aa962867b 100644
--- a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
index 7f9f035811..4b09382e83 100644
--- a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
index e7bd9470ea..ef5e363f72 100644
--- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
index 75162f0fae..13847564d7 100644
--- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted, Backup Catalog Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail Important Change, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Config DeleteConfigurationRecorder, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Disable MFA, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail Remove Flow logs, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail IAM DeleteOpenIDConnectProvider"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail KMS CMK Key Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, AWS CloudTrail EC2 Startup Script Changed, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Password Policy Updated, Password Change On Directory Service Restore Mode (DSRM) Account, AWS CloudTrail IAM Failed User Creation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail EC2 CreateVPC, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail IAM Policy Changed, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Failed User Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail Important Change, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Disable MFA, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM ChangePassword"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 Enable Serial Console Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 Enable Serial Console Access"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail Important Change, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Remove Flow logs, AWS CloudTrail Config DeleteConfigurationRecorder, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Disable MFA, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, AWS CloudTrail KMS CMK Key Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed, Microsoft Defender Antivirus Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Policy Changed, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail IAM Password Policy Updated"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Remove Flow logs, AWS CloudTrail Important Change, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Disable MFA, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 DeleteKeyPair"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 DeleteKeyPair"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Change Master Password, AWS CloudTrail RDS Public DB Restore"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
index 676777d38e..646237e22b 100644
--- a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
index b3b558784c..cc681f0859 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
index da1f1989a0..c8abb7b086 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
index ee1480f1c1..13e9b78683 100644
--- a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
index 4e4e7ea52e..90dcea3a58 100644
--- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, TrevorC2 HTTP Communication, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, TrevorC2 HTTP Communication, LokiBot Default C2 URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, TrevorC2 HTTP Communication, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json
index 3614727199..d77b5e1a96 100644
--- a/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Veeam Backup", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Veeam Backup", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
index 8c9f2bc289..1cd800ab1c 100644
--- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Zscaler ZIA Malicious Threat, Download Files From Suspicious TLDs, Zscaler ZIA Suspicious Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Zscaler ZIA Malicious Threat, Download Files From Suspicious TLDs, Zscaler ZIA Suspicious Threat"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Koadic MSHTML Command, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Zscaler ZIA Suspicious Threat, Download Files From Suspicious TLDs, Zscaler ZIA Malicious Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Zscaler ZIA Suspicious Threat, Download Files From Suspicious TLDs, Zscaler ZIA Malicious Threat"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
index 78eb7e2587..bc067559e5 100644
--- a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Systancia Cleanroom [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Systancia Cleanroom [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
index a6d1c8b2bf..df21f6cbba 100644
--- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
index 8347760061..7e7f5ed8ce 100644
--- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
index 758587dd73..0430ccd9d5 100644
--- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Spearphishing (CEO Fraud) Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Scam Detected By Vade For M365, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Phishing Detected By Vade For M365 And Not Blocked, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spam Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Malware Detected By Vade For M365, Phishing Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Spearphishing (W2 Fraud) Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Spearphishing (Lawyer Fraud) Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, SEKOIA.IO Intelligence Feed, Spearphishing (CEO Fraud) Detected By Vade For M365, Spam Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Spearphishing (W2 Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365, Malware Detected By Vade For M365, Scam Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
index c3b7e4278b..71355a3f2e 100644
--- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Suspicious Activity Reported, Okta Unauthorized Access to App"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Blacklist Manipulations, Okta Security Threat Configuration Updated, Okta Network Zone Modified, Okta MFA Disabled, Okta Network Zone Deleted"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta User Account Deactivated, Okta Admin Privilege Granted, Okta Application modified, Okta User Impersonation Access, Okta Application deleted"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Modified, Okta Network Zone Deleted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Security Threat Configuration Updated, Okta Blacklist Manipulations, Okta Network Zone Deleted, Okta Network Zone Modified, Okta MFA Disabled"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Suspicious Activity Reported, Okta Unauthorized Access to App"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta User Impersonation Access, Okta User Account Deactivated, Okta Application modified, Okta Admin Privilege Granted, Okta Application deleted"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Okta Security Threat Detected"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Deleted, Okta Network Zone Modified"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json
index ebee3b7684..e7d848c5c3 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenVPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenVPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
index 90e86eaedb..5f20cc5f59 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Interactive Terminal Spawned via Python, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Python Offensive Tools and Packages, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Elise Backdoor, Socat Relaying Socket, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Explorer Process Executing HTA File, Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Empire Monkey Activity, Suspicious Rundll32.exe Execution, MavInject Process Injection, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled Service, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled Service, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process, Exfiltration Via Pscp"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Downgrade Attack"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Empire Monkey Activity"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression, Cookies Deletion"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Disabled Service, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, SELinux Disabling, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disabled Service, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, SELinux Disabling, ETW Tampering, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Debugging Software Deactivation, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, DNS Exfiltration and Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, WMIC Uninstall Product, Interactive Terminal Spawned via Python, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Socat Relaying Socket, Powershell Web Request, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, Socat Reverse Shell Detection, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Python Offensive Tools and Packages, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Ngrok Process Execution, SOCKS Tunneling Tool, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering, Cookies Deletion, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Download From URL, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Taskkill Command, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
index ed3861e99e..27cdb4be67 100644
--- a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
index e35a4721a9..5fe4d81976 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
index b1d1a9f4b9..0f270af415 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
index 7e01beb5e9..58641e0984 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
index 27ded3cd41..f236908544 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, TrevorC2 HTTP Communication, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, TrevorC2 HTTP Communication"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
index cf912841f6..fb28fd6117 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
index c3cac487ee..52cc1b0944 100644
--- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
index 0ac9d92dd3..6d73186bc9 100644
--- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, New Service Creation, Taskhostw Wrong Parent, Taskhost Wrong Parent, Explorer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Sysinternals Tools, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Smss Wrong Parent, Searchprotocolhost Child Found, Winword wrong parent, Windows Update LolBins, Microsoft Defender Antivirus Threat Detected, Csrss Wrong Parent, Userinit Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wsmprovhost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, Searchindexer Wrong Parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Exfiltration Via Pscp, Lsass Wrong Parent, Csrss Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Svchost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, Component Object Model Hijacking"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Cron Files Alteration, Schtasks Suspicious Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Trickbot Malware Activity, SquirrelWaffle Malspam Execution Loading DLL, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Commands Invocation, Suspicious Windows Script Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Outlook Child Process, Lazarus Loaders, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Aspnet Compiler, Suspicious Microsoft Defender Antivirus Exclusion Command, Linux Bash Reverse Shell, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Exploiting SetupComplete.cmd CVE-2019-1378, QakBot Process Creation, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, Suspicious Cmd.exe Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell Downgrade Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Blue Mockingbird Malware, Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock, FlowCloud Malware, OceanLotus Registry Activity, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage, Container Credential Access, Opening Of a Password File"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Suspicious Regsvr32 Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Control Panel Items, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, Mshta JavaScript Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CMSTP Execution, CertOC Loading Dll, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, MavInject Process Injection, Empire Monkey Activity, xWizard Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, AMSI Deactivation Using Registry Key, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Clear EventLogs Through CommandLine, Package Manager Alteration, FLTMC command usage, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disable Task Manager Through Registry Key, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, AMSI Deactivation Using Registry Key, Netsh Program Allowed With Suspicious Location, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Dism Disabling Windows Defender, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, Rubeus Tool Command-line, Copying Browser Files With Credentials, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, PowerShell EncodedCommand, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, NlTest Usage, AdFind Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Headless Web Browser Execution To Download File, Rclone Process, Pandemic Windows Implant, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Stormshield Ses Critical Block, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Microsoft Office Product Spawning Windows Shell, Stormshield Ses Emergency Block, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Stormshield Ses Critical Not Block, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Program Allowed With Suspicious Location, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Mshta Execution, Explorer Process Executing HTA File, Mshta JavaScript Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine, FLTMC command usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Disabled IE Security Features, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Netsh Port Forwarding, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Clear EventLogs Through CommandLine, Windows Firewall Changes, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Allow Command, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Tampering Detected, Disabled IE Security Features, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Debugging Software Deactivation, Dism Disabling Windows Defender, FLTMC command usage, AMSI Deactivation Using Registry Key, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Smss Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Blue Mockingbird Malware, Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Njrat Registry Values, Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Erase Shell History, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Microsoft Defender Antivirus Threat Detected, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, PowerShell Commands Invocation, Suspicious CodePage Switch with CHCP, Suspicious VBS Execution Parameter, Exploited CVE-2020-10189 Zoho ManageEngine, Default Encoding To UTF-8 PowerShell, Sysprep On AppData Folder, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, WMIC Uninstall Product, Phorpiex DriveMgr Command, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Aspnet Compiler, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Outlook Child Process, Powershell Web Request, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Lazarus Loaders, PowerShell Download From URL, Generic-reverse-shell-oneliner, PowerShell Downgrade Attack, Bloodhound and Sharphound Tools Usage, Sekoia.io EICAR Detection, QakBot Process Creation, Suspicious Cmd.exe Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Elise Backdoor"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Copying Browser Files With Credentials, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Microsoft Defender Antivirus Threat Detected, Wmiprvse Wrong Parent, PsExec Process, Rare Logonui Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Windows Update LolBins, Winlogon wrong parent, Exfiltration Via Pscp, Taskhostw Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Disable Workstation Lock, Blue Mockingbird Malware, FlowCloud Malware"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Cryptomining, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Mshta JavaScript Execution, Suspicious Regsvr32 Execution, xWizard Execution, Suspicious Taskkill Command, Suspicious Regasm Regsvcs Usage, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, CMSTP Execution, MavInject Process Injection, Explorer Process Executing HTA File, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, MOFComp Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, CertOC Loading Dll"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Sysmon Windows File Block Executable, Microsoft Office Spawning Script"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Stormshield Ses Emergency Block, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Microsoft Defender Antivirus Threat Detected, Explorer Process Executing HTA File, Stormshield Ses Critical Block, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Stormshield Ses Critical Not Block, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Sysmon Windows File Block Executable, Microsoft Office Spawning Script"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Empire Monkey Activity, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allow Command, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Explorer Wrong Parent, Dllhost Wrong Parent, Lsass Wrong Parent, Wmiprvse Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, New Service Creation, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Wsmprovhost Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Smss Wrong Parent, Svchost Wrong Parent, OneNote Suspicious Children Process, Spoolsv Wrong Parent, Searchprotocolhost Child Found, Csrss Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Rare Lsass Child Found, Winlogon wrong parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell EncodedCommand, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Trickbot Malware Activity"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Exfiltration Domain, Rclone Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
index 2da50d1a42..b56c2e0b4e 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM iSeries [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM iSeries [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection, Aspnet Compiler"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
index a2c76d44ed..9425ab4590 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
index 3645f720bd..dbb363e884 100644
--- a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, Cryptomining, Dynamic DNS Contacted, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-13379 Fortinet Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
index 282751b134..f500f3bd4e 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md
@@ -1,7 +1,10 @@
-Changelog _last update on 2024-07-08_
+Changelog _last update on 2024-07-10_
## Changelog
+### User Account Created
+ - 10/07/2024 - minor - Adding filter and new elements to reduce false positives.
+
### Microsoft Defender Antivirus Disable Scheduled Tasks
- 04/07/2024 - minor - Adding new commands to increase detection.
@@ -17,28 +20,28 @@ Changelog _last update on 2024-07-08_
### Disable Task Manager Through Registry Key
- 25/06/2024 - major - Fix pattern selection
-### Sticky Key Like Backdoor Usage
+### Usage Of Sysinternals Tools
- 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
-### Disable Workstation Lock
+### UAC Bypass Using Fodhelper
- 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
-### Malware Persistence Registry Key
- - 21/06/2024 - major - Update detection pattern for ECS fields/value compliance, and filter some FPs
-
### Leviathan Registry Key Activity
- 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
-### Security Support Provider (SSP) Added to LSA Configuration
+### Sticky Key Like Backdoor Usage
- 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
-### UAC Bypass Using Fodhelper
+### Security Support Provider (SSP) Added to LSA Configuration
- 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
-### Usage Of Sysinternals Tools
+### OceanLotus Registry Activity
- 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
-### OceanLotus Registry Activity
+### Malware Persistence Registry Key
+ - 21/06/2024 - major - Update detection pattern for ECS fields/value compliance, and filter some FPs
+
+### Disable Workstation Lock
- 21/06/2024 - major - Update detection pattern for ECS fields/value compliance
### SOCKS Tunneling Tool
@@ -80,12 +83,12 @@ Changelog _last update on 2024-07-08_
### Anomaly Multiple Host Port Scan
- 11/06/2024 - minor - Adding fields to be displayed in the alert and changing effort level.
-### Logonui Wrong Parent
- - 07/06/2024 - major - Added filter to reduce false positives
-
### NjRat Registry Changes
- 07/06/2024 - major - Update pattern to reduce false positives
+### Logonui Wrong Parent
+ - 07/06/2024 - major - Added filter to reduce false positives
+
### CMSTP UAC Bypass via COM Object Access
- 28/05/2024 - minor - Add pattern to filter to improve coverage
@@ -95,6 +98,9 @@ Changelog _last update on 2024-07-08_
### Suspicious PowerShell Keywords
- 23/05/2024 - minor - Added filter to reduce false positives and new suspicious keywords.
+### HarfangLab EDR Critical Level Rule Detection
+ - 23/05/2024 - minor - Added filter to exclude threat dataset
+
### HarfangLab EDR High Level Rule Detection
- 23/05/2024 - minor - Added filter to exclude threat dataset
@@ -104,18 +110,15 @@ Changelog _last update on 2024-07-08_
### HarfangLab EDR Low Level Rule Detection
- 23/05/2024 - minor - Added filter to exclude threat dataset
-### HarfangLab EDR Critical Level Rule Detection
- - 23/05/2024 - minor - Added filter to exclude threat dataset
-
-### Login Brute-Force On Sekoia.io
- - 22/05/2024 - minor - Switch the group-by clause to a sekoiaio uuid field.
-
### Google Workspace Admin Creation
- 22/05/2024 - minor - Adding new element to increase detection.
### Password Reset Error Brute-Force On AzureAD
- 22/05/2024 - minor - Switch the group-by clause to a sekoiaio uuid field.
+### Login Brute-Force On Sekoia.io
+ - 22/05/2024 - minor - Switch the group-by clause to a sekoiaio uuid field.
+
### Stop Backup Services
- 16/05/2024 - minor - add pattern to extend and improve detection
@@ -140,127 +143,124 @@ Changelog _last update on 2024-07-08_
### Smss Wrong Parent
- 05/04/2024 - major - Added filter to reduce false positives
-### DHCP Server Loaded the CallOut DLL
- - 04/04/2024 - major - Rule's pattern field changed
-
-### Suspicious Outbound Kerberos Connection
+### Suspect Svchost Memory Access
- 04/04/2024 - major - Rule's pattern field changed
-### Secure Deletion With SDelete
+### SAM Registry Hive Handle Request
- 04/04/2024 - major - Rule's pattern field changed
-### Suspicious Access To Sensitive File Extensions
+### SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory
- 04/04/2024 - major - Rule's pattern field changed
-### Suspicious SAM Dump
+### Suspicious PsExec Execution
- 04/04/2024 - major - Rule's pattern field changed
-### CVE-2019-0708 Scan
+### Failed Logon Followed By A Success From Public IP Addresses
- 04/04/2024 - major - Rule's pattern field changed
-### Microsoft Malware Protection Engine Crash
+### Suspicious Windows ANONYMOUS LOGON Local Account Created
- 04/04/2024 - major - Rule's pattern field changed
-### Powershell Winlogon Helper DLL
+### MSBuild Abuse
- 04/04/2024 - major - Rule's pattern field changed
-### DNS Server Error Failed Loading The ServerLevelPluginDLL
+### RDP Login From Localhost
- 04/04/2024 - major - Rule's pattern field changed
-### Suspicious Hostname
+### Credential Dumping By LaZagne
- 04/04/2024 - major - Rule's pattern field changed
### Alternate PowerShell Hosts Pipe
- 04/04/2024 - major - Rule's pattern field changed
-### Webshell Creation
+### SCM Database Handle Failure
- 04/04/2024 - major - Rule's pattern field changed
-### External Disk Drive Or USB Storage Device
+### Secure Deletion With SDelete
- 04/04/2024 - major - Rule's pattern field changed
-### DHCP Server Error Failed Loading the CallOut DLL
+### Remote Service Activity Via SVCCTL Named Pipe
- 04/04/2024 - major - Rule's pattern field changed
-### Remote Privileged Group Enumeration
+### Successful Brute Force Login From Internet
- 04/04/2024 - major - Rule's pattern field changed
-### TUN/TAP Driver Installation
+### Suspicious Hostname
- 04/04/2024 - major - Rule's pattern field changed
-### Suspect Svchost Memory Access
+### SysKey Registry Keys Access
- 04/04/2024 - major - Rule's pattern field changed
-### User Added to Local Administrators
+### DHCP Server Error Failed Loading the CallOut DLL
- 04/04/2024 - major - Rule's pattern field changed
-### Failed Logon Followed By A Success From Public IP Addresses
+### Suspicious Access To Sensitive File Extensions
- 04/04/2024 - major - Rule's pattern field changed
-### Suspicious Windows ANONYMOUS LOGON Local Account Created
+### Remote Privileged Group Enumeration
- 04/04/2024 - major - Rule's pattern field changed
-### User Couldn't Call A Privileged Service LsaRegisterLogonProcess
+### User Added to Local Administrators
- 04/04/2024 - major - Rule's pattern field changed
-### User Account Created
+### DPAPI Domain Backup Key Extraction
- 04/04/2024 - major - Rule's pattern field changed
-### SCM Database Handle Failure
+### Suspicious LDAP-Attributes Used
- 04/04/2024 - major - Rule's pattern field changed
-### WMI Event Subscription
+### Suspicious SAM Dump
- 04/04/2024 - major - Rule's pattern field changed
-### MSBuild Abuse
+### CVE-2019-0708 Scan
- 04/04/2024 - major - Rule's pattern field changed
-### Account Tampering - Suspicious Failed Logon Reasons
+### Suspicious Outbound Kerberos Connection
- 04/04/2024 - major - Rule's pattern field changed
-### DPAPI Domain Backup Key Extraction
+### DHCP Server Loaded the CallOut DLL
- 04/04/2024 - major - Rule's pattern field changed
-### SysKey Registry Keys Access
+### Microsoft Malware Protection Engine Crash
- 04/04/2024 - major - Rule's pattern field changed
-### Suspicious PsExec Execution
+### WMI Event Subscription
- 04/04/2024 - major - Rule's pattern field changed
-### Remote Registry Management Using Reg Utility
+### Account Tampering - Suspicious Failed Logon Reasons
- 04/04/2024 - major - Rule's pattern field changed
-### SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory
+### TUN/TAP Driver Installation
- 04/04/2024 - major - Rule's pattern field changed
-### Successful Brute Force Login From Internet
+### Remote Registry Management Using Reg Utility
- 04/04/2024 - major - Rule's pattern field changed
-### Credential Dumping By LaZagne
+### DNS Server Error Failed Loading The ServerLevelPluginDLL
- 04/04/2024 - major - Rule's pattern field changed
-### Suspicious LDAP-Attributes Used
+### External Disk Drive Or USB Storage Device
- 04/04/2024 - major - Rule's pattern field changed
-### RDP Login From Localhost
+### Powershell Winlogon Helper DLL
- 04/04/2024 - major - Rule's pattern field changed
-### User Account Deleted
+### User Couldn't Call A Privileged Service LsaRegisterLogonProcess
- 04/04/2024 - major - Rule's pattern field changed
-### Remote Service Activity Via SVCCTL Named Pipe
+### User Account Deleted
- 04/04/2024 - major - Rule's pattern field changed
-### SAM Registry Hive Handle Request
+### Webshell Creation
- 04/04/2024 - major - Rule's pattern field changed
### WAF Correlation Block Multiple Destinations
- 28/03/2024 - minor - Rule effort was updated to master
-### Cloudflare WAF Correlation Alerts
+### WAF Correlation Block actions
- 28/03/2024 - minor - Rule effort was updated to master
-### WAF Correlation Block actions
+### Cloudflare WAF Correlation Alerts
- 28/03/2024 - minor - Rule effort was updated to master
### Netskope Admin Audit
@@ -272,178 +272,178 @@ Changelog _last update on 2024-07-08_
### Netskope Alert
- 28/03/2024 - minor - Rule effort was updated to master
-### Privileged AD Builtin Group Modified
+### CVE-2017-11882 Microsoft Office Equation Editor Vulnerability
- 26/03/2024 - major - Rule's pattern field changed
-### PowerView commandlets 2
+### Account Removed From A Security Enabled Group
- 26/03/2024 - major - Rule's pattern field changed
-### Microsoft Defender Antivirus Configuration Changed
+### Legitimate Process Execution From Unusual Folder
- 26/03/2024 - major - Rule's pattern field changed
-### Backup Catalog Deleted
+### Putty Sessions Listing
- 26/03/2024 - major - Rule's pattern field changed
-### Potential RDP Connection To Non-Domain Host
+### Microsoft Defender Antivirus Tampering Detected
- 26/03/2024 - major - Rule's pattern field changed
-### Admin User RDP Remote Logon
+### Mimikatz LSASS Memory Access
- 26/03/2024 - major - Rule's pattern field changed
-### Python Opening Ports
+### Admin User RDP Remote Logon
- 26/03/2024 - major - Rule's pattern field changed
-### Malware Outbreak
+### Eventlog Cleared
- 26/03/2024 - major - Rule's pattern field changed
-### WMImplant Hack Tool
+### AD User Enumeration
- 26/03/2024 - major - Rule's pattern field changed
-### Protected Storage Service Access
+### Chafer (APT 39) Activity
- 26/03/2024 - major - Rule's pattern field changed
-### Successful Overpass The Hash Attempt
+### Dynwrapx Module Loading
- 26/03/2024 - major - Rule's pattern field changed
-### Microsoft Defender Antivirus Tampering Detected
+### LSASS Memory Dump
- 26/03/2024 - major - Rule's pattern field changed
-### DCSync Attack
+### Account Added To A Security Enabled Group
- 26/03/2024 - major - Rule's pattern field changed
-### Domain Trust Created Or Removed
+### Admin Share Access
- 26/03/2024 - major - Rule's pattern field changed
-### Dynwrapx Module Loading
+### PsExec Process
- 26/03/2024 - major - Rule's pattern field changed
-### NetNTLM Downgrade Attack
+### Domain Trust Created Or Removed
- 26/03/2024 - major - Rule's pattern field changed
-### DC Shadow via Service Principal Name (SPN) creation
+### DCSync Attack
- 26/03/2024 - major - Rule's pattern field changed
-### Admin Share Access
+### Detection of default Mimikatz banner
- 26/03/2024 - major - Rule's pattern field changed
-### Account Removed From A Security Enabled Group
+### Active Directory Replication User Backdoor
- 26/03/2024 - major - Rule's pattern field changed
-### Bloodhound and Sharphound Tools Usage
- - 26/03/2024 - minor - Adapted the rule to remove false positives.
-
-### Active Directory User Backdoors
+### StoneDrill Service Install
- 26/03/2024 - major - Rule's pattern field changed
-### Active Directory Replication from Non Machine Account
+### PowerView commandlets 2
- 26/03/2024 - major - Rule's pattern field changed
-### Malicious Service Installations
+### Process Hollowing Detection
- 26/03/2024 - major - Rule's pattern field changed
-### Mimikatz LSASS Memory Access
+### Possible Replay Attack
- 26/03/2024 - major - Rule's pattern field changed
-### Lateral Movement Remote Named Pipe
- - 26/03/2024 - minor - Filter was improved to reduce false positives
-
-### APT29 Fake Google Update Service Install
+### Computer Account Deleted
- 26/03/2024 - major - Rule's pattern field changed
-### Putty Sessions Listing
+### Active Directory User Backdoors
- 26/03/2024 - major - Rule's pattern field changed
-### LSASS Memory Dump
+### LSASS Access From Non System Account
- 26/03/2024 - major - Rule's pattern field changed
-### Active Directory Replication User Backdoor
+### Successful Overpass The Hash Attempt
- 26/03/2024 - major - Rule's pattern field changed
-### Active Directory Delegate To KRBTGT Service
+### Microsoft Defender Antivirus Exclusion Configuration
- 26/03/2024 - major - Rule's pattern field changed
-### Process Herpaderping
+### Smbexec.py Service Installation
- 26/03/2024 - major - Rule's pattern field changed
-### Legitimate Process Execution From Unusual Folder
+### Microsoft Defender Antivirus Threat Detected
- 26/03/2024 - major - Rule's pattern field changed
-### Smbexec.py Service Installation
+### NetNTLM Downgrade Attack
- 26/03/2024 - major - Rule's pattern field changed
-### Microsoft Defender Antivirus Threat Detected
+### Possible RottenPotato Attack
- 26/03/2024 - major - Rule's pattern field changed
-### AD User Enumeration
+### WMImplant Hack Tool
- 26/03/2024 - major - Rule's pattern field changed
-### Creation or Modification of a GPO Scheduled Task
+### Microsoft Defender Antivirus Configuration Changed
- 26/03/2024 - major - Rule's pattern field changed
-### Cobalt Strike Default Service Creation Usage
+### APT29 Fake Google Update Service Install
- 26/03/2024 - major - Rule's pattern field changed
-### Denied Access To Remote Desktop
+### Python Opening Ports
- 26/03/2024 - major - Rule's pattern field changed
-### CVE-2017-11882 Microsoft Office Equation Editor Vulnerability
+### Privileged AD Builtin Group Modified
- 26/03/2024 - major - Rule's pattern field changed
-### Microsoft Defender Antivirus Exclusion Configuration
+### Active Directory Delegate To KRBTGT Service
- 26/03/2024 - major - Rule's pattern field changed
-### Account Added To A Security Enabled Group
+### AD Privileged Users Or Groups Reconnaissance
- 26/03/2024 - major - Rule's pattern field changed
-### Password Change On Directory Service Restore Mode (DSRM) Account
+### Denied Access To Remote Desktop
- 26/03/2024 - major - Rule's pattern field changed
-### Eventlog Cleared
+### Impacket Secretsdump.py Tool
- 26/03/2024 - major - Rule's pattern field changed
-### Impacket Secretsdump.py Tool
+### Creation or Modification of a GPO Scheduled Task
- 26/03/2024 - major - Rule's pattern field changed
-### StoneDrill Service Install
+### Active Directory Replication from Non Machine Account
- 26/03/2024 - major - Rule's pattern field changed
-### Microsoft Defender Antivirus History Deleted
+### Lateral Movement Remote Named Pipe
+ - 26/03/2024 - minor - Filter was improved to reduce false positives
+
+### Cobalt Strike Default Service Creation Usage
- 26/03/2024 - major - Rule's pattern field changed
-### Possible RottenPotato Attack
+### Password Dumper Activity On LSASS
- 26/03/2024 - major - Rule's pattern field changed
-### Possible Replay Attack
+### Microsoft Defender Antivirus History Deleted
- 26/03/2024 - major - Rule's pattern field changed
-### Process Hollowing Detection
+### Protected Storage Service Access
- 26/03/2024 - major - Rule's pattern field changed
-### Antivirus Relevant File Paths Alerts
+### Malicious Service Installations
- 26/03/2024 - major - Rule's pattern field changed
-### AD Privileged Users Or Groups Reconnaissance
+### Password Change On Directory Service Restore Mode (DSRM) Account
- 26/03/2024 - major - Rule's pattern field changed
### Active Directory Database Dump Via Ntdsutil
- 26/03/2024 - major - Rule's pattern field changed
-### Computer Account Deleted
+### Antivirus Relevant File Paths Alerts
- 26/03/2024 - major - Rule's pattern field changed
-### Detection of default Mimikatz banner
+### Potential RDP Connection To Non-Domain Host
- 26/03/2024 - major - Rule's pattern field changed
-### PsExec Process
+### Bloodhound and Sharphound Tools Usage
+ - 26/03/2024 - minor - Adapted the rule to remove false positives.
+
+### DC Shadow via Service Principal Name (SPN) creation
- 26/03/2024 - major - Rule's pattern field changed
-### Chafer (APT 39) Activity
+### Backup Catalog Deleted
- 26/03/2024 - major - Rule's pattern field changed
-### LSASS Access From Non System Account
+### Process Herpaderping
- 26/03/2024 - major - Rule's pattern field changed
-### Password Dumper Activity On LSASS
+### Malware Outbreak
- 26/03/2024 - major - Rule's pattern field changed
### Impacket Wmiexec Module
@@ -458,55 +458,55 @@ Changelog _last update on 2024-07-08_
### Remote Task Creation Via ATSVC Named Pipe
- 21/03/2024 - minor - change filter to ACL hex value
-### Lsass Wrong Parent
+### Explorer Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
-### Taskhost Wrong Parent
+### Gpscript Suspicious Parent
- 19/03/2024 - major - Added filter to reduce false positives
-### Winlogon wrong parent
+### Winrshost Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
-### Wsmprovhost Wrong Parent
+### Dllhost Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
-### Explorer Wrong Parent
+### Svchost Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
### Winword wrong parent
- 19/03/2024 - major - Added filter to reduce false positives
-### Dllhost Wrong Parent
+### Lsass Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
-### Csrss Wrong Parent
+### Taskhost Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
-### Searchindexer Wrong Parent
+### Wininit Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
-### Svchost Wrong Parent
+### Taskhostw Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
-### Wininit Wrong Parent
+### Searchindexer Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
-### Userinit Wrong Parent
+### Winlogon wrong parent
- 19/03/2024 - major - Added filter to reduce false positives
-### Gpscript Suspicious Parent
+### Wsmprovhost Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
-### Wmiprvse Wrong Parent
+### Userinit Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
-### Spoolsv Wrong Parent
+### Csrss Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
-### Taskhostw Wrong Parent
+### Wmiprvse Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
-### Winrshost Wrong Parent
+### Spoolsv Wrong Parent
- 19/03/2024 - major - Added filter to reduce false positives
### Microsoft 365 Suspicious Inbox Rule
@@ -524,14 +524,11 @@ Changelog _last update on 2024-07-08_
### WMIC Command To Determine The Antivirus
- 28/02/2024 - minor - Adding a new usage of wmic.
-### Outlook Registry Access
- - 19/02/2024 - minor - Effort level was adapted according to the observed hits for the rule
-
### Non-Legitimate Executable Using AcceptEula Parameter
- 19/02/2024 - minor - Update filter and effort level according to the observed hits for the rule.
-### Microsoft Defender Antivirus Disabled Base64 Encoded
- - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
+### Outlook Registry Access
+ - 19/02/2024 - minor - Effort level was adapted according to the observed hits for the rule
### Netsh Port Forwarding
- 15/02/2024 - minor - Added filter to reduce false positives
@@ -539,139 +536,142 @@ Changelog _last update on 2024-07-08_
### NlTest Usage
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### MS Office Product Spawning Exe in User Dir
+### Microsoft Defender Antivirus Disabled Base64 Encoded
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### Microsoft Defender for Office 365 High Severity AIR Alert
+### MS Office Product Spawning Exe in User Dir
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### Microsoft Defender for Office 365 Medium Severity AIR Alert
+### AWS GuardDuty High Severity Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### AWS GuardDuty Medium Severity Alert
+### AWS CloudTrail GuardDuty Detector Deleted
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### AWS GuardDuty High Severity Alert
+### Okta MFA Disabled
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically
+### Sekoia.io EICAR Detection
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### Okta Phishing Detection with FastPass Origin Check
+### Microsoft Defender for Office 365 High Severity AIR Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### AWS CloudTrail GuardDuty Detector Suspended
+### Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### Sekoia.io EICAR Detection
+### Microsoft Defender for Office 365 Medium Severity AIR Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### Okta MFA Disabled
+### Okta Phishing Detection with FastPass Origin Check
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### AWS CloudTrail GuardDuty Detector Deleted
+### Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action
+### AWS GuardDuty Medium Severity Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### CVE-2021-21985 VMware vCenter
+### AWS CloudTrail GuardDuty Detector Suspended
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### SentinelOne EDR SSO User Added
+### CVE-2021-21985 VMware vCenter
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### HarfangLab EDR Process Execution Blocked (HL-AI engine)
+### Login Brute-Force Successful On SentinelOne EDR Management Console
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### CrowdStrike Falcon Intrusion Detection High Severity
+### CrowdStrike Falcon Identity Protection Detection Medium Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### SentinelOne EDR Threat Detected (Malicious)
+### CrowdStrike Falcon Identity Protection Detection Critical Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### Cybereason EDR Malware Detection
+### CrowdStrike Falcon Intrusion Detection Critical Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### Login Brute-Force Successful On SentinelOne EDR Management Console
+### CrowdStrike Falcon Identity Protection Detection Low Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### SentinelOne EDR Threat Mitigation Report Quarantine Success
+### Cybereason EDR Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### CrowdStrike Falcon Identity Protection Detection High Severity
+### WithSecure Elements Critical Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### WithSecure Elements Critical Severity
+### CrowdStrike Falcon Intrusion Detection
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### SentinelOne EDR Custom Rule Alert
+### CrowdStrike Falcon Identity Protection Detection High Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively
+### SentinelOne EDR SSO User Added
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### CrowdStrike Falcon Intrusion Detection
+### SentinelOne EDR Custom Rule Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### Login Failed Brute-Force On SentinelOne EDR Management Console
+### CrowdStrike Falcon Identity Protection Detection Informational Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### SentinelOne EDR Threat Mitigation Report Kill Success
+### SentinelOne EDR Threat Detected (Suspicious)
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### HarfangLab EDR Hlai Engine Detection
+### Trend Micro Apex One Malware Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
### SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### CrowdStrike Falcon Identity Protection Detection Medium Severity
+### CrowdStrike Falcon Intrusion Detection Medium Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### Trend Micro Apex One Intrusion Detection Alert
+### SentinelOne EDR Threat Detected (Malicious)
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### CrowdStrike Falcon Intrusion Detection Informational Severity
+### HarfangLab EDR Hlai Engine Detection
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### CrowdStrike Falcon Identity Protection Detection Critical Severity
+### HarfangLab EDR Process Execution Blocked (HL-AI engine)
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### SentinelOne EDR Malicious Threat Not Mitigated
+### CrowdStrike Falcon Intrusion Detection Low Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### CrowdStrike Falcon Identity Protection Detection Informational Severity
+### CrowdStrike Falcon Intrusion Detection Informational Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### CrowdStrike Falcon Intrusion Detection Critical Severity
+### Trend Micro Apex One Data Loss Prevention Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### Trend Micro Apex One Data Loss Prevention Alert
+### SentinelOne EDR Threat Mitigation Report Remediate Success
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### CrowdStrike Falcon Intrusion Detection Low Severity
+### SentinelOne EDR Malicious Threat Not Mitigated
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### SentinelOne EDR Threat Detected (Suspicious)
+### Trend Micro Apex One Intrusion Detection Alert
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### SentinelOne EDR Threat Mitigation Report Remediate Success
+### CrowdStrike Falcon Intrusion Detection High Severity
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### Trend Micro Apex One Malware Alert
+### SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
### SentinelOne EDR Threat Mitigation Report Quarantine Failed
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### CrowdStrike Falcon Intrusion Detection Medium Severity
+### SentinelOne EDR Threat Mitigation Report Kill Success
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### Cybereason EDR Alert
+### SentinelOne EDR Threat Mitigation Report Quarantine Success
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
-### CrowdStrike Falcon Identity Protection Detection Low Severity
+### Login Failed Brute-Force On SentinelOne EDR Management Console
+ - 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
+
+### Cybereason EDR Malware Detection
- 15/02/2024 - minor - Effort level was adapted according to the observed hits for the rule.
### WMIC Uninstall Product
@@ -722,12 +722,12 @@ Changelog _last update on 2024-07-08_
### HTA Infection Chains
- 30/11/2023 - minor - Update pattern with new lolbin
-### Netsh Program Allowed With Suspicious Location
- - 29/11/2023 - minor - Update regex pattern to insensitive case
-
### PowerShell Download From URL
- 29/11/2023 - minor - Added a filter to the rule as some false positives were observed.
+### Netsh Program Allowed With Suspicious Location
+ - 29/11/2023 - minor - Update regex pattern to insensitive case
+
### Suspicious Regsvr32 Execution
- 23/11/2023 - major - Extended detection and added filter
@@ -764,27 +764,27 @@ Changelog _last update on 2024-07-08_
### Suspicious Windows Script Execution
- 19/10/2023 - major - Review of the rule to reduce false positives.
-### Domain Trust Discovery Through LDAP
- - 19/10/2023 - minor - improve filter to reduce false positives
-
### CMSTP Execution
- 19/10/2023 - minor - Slight change in selection to reduce false positives. Adding similarity.
+### Domain Trust Discovery Through LDAP
+ - 19/10/2023 - minor - improve filter to reduce false positives
+
### Transfering Files With Credential Data Via Network Shares
- 17/10/2023 - minor - Improve selection to reduce false positives
### AdFind Usage
- 12/10/2023 - minor - Slight change to a condition in order to reduce false positives.
-### Microsoft 365 (Office 365) Unusual Volume Of File Deletion
- - 09/10/2023 - major - Fix field names to match the current parser.
-
### Microsoft 365 (Office 365) Mass Download By A Single User
- 09/10/2023 - major - Fix field names to match the current parser.
### Microsoft 365 (Office 365) Potential Ransomware Activity Detected
- 09/10/2023 - major - Fix field names to match the current parser.
+### Microsoft 365 (Office 365) Unusual Volume Of File Deletion
+ - 09/10/2023 - major - Fix field names to match the current parser.
+
### Login Brute-Force Successful
- 06/10/2023 - minor - renaming and tunn filters to limit False Positive
@@ -815,10 +815,10 @@ Changelog _last update on 2024-07-08_
### Wmic Process Call Creation
- 01/08/2023 - major - Rewritten as a regex to reduce false positives
-### Potential DNS Tunnel
+### Correlation Potential DNS Tunnel
- 19/07/2023 - major - New regex pattern and new filters.
-### Correlation Potential DNS Tunnel
+### Potential DNS Tunnel
- 19/07/2023 - major - New regex pattern and new filters.
### Rclone Process
@@ -830,10 +830,10 @@ Changelog _last update on 2024-07-08_
### HackTools Suspicious Process Names In Command Line
- 19/06/2023 - minor - Added filter to the rule to reduce false positives.
-### Socat Reverse Shell Detection
+### Socat Relaying Socket
- 14/06/2023 - minor - Added filter to the rule to reduce false positives.
-### Socat Relaying Socket
+### Socat Reverse Shell Detection
- 14/06/2023 - minor - Added filter to the rule to reduce false positives.
### Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
index 0450bfc9e8..701e3a5159 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Rules catalog includes **898 built-in detection rules** ([_last update on 2024-07-08_](rules_changelog.md)).
+Rules catalog includes **899 built-in detection rules** ([_last update on 2024-07-10_](rules_changelog.md)).
## Reconnaissance
**Gather Victim Identity Information**
@@ -120,6 +120,12 @@ Rules catalog includes **898 built-in detection rules** ([_last update on 2024-0
- **Effort:** master
+??? abstract "Fastly Next-Gen WAF Audit Threat Alert"
+
+ Forward a threat detection made by Fastly Next-Gen WAF Audit Logs
+
+ - **Effort:** master
+
??? abstract "Internet Scanner"
Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP. This could be a very noisy rule, so be careful to check your detection perimeter before activation.
@@ -4903,6 +4909,7 @@ Rules catalog includes **898 built-in detection rules** ([_last update on 2024-0
- **Changelog:**
- 04/04/2024 - major - Rule's pattern field changed
+ - 10/07/2024 - minor - Adding filter and new elements to reduce false positives.
**Office Application Startup**
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.md
index 6470b9277c..ccce63a89c 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.md
@@ -213,12 +213,6 @@ The following Sekoia.io built-in rules match the intake **Citrix NetScaler / ADC
- **Effort:** master
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md
index b0d7aff45d..9ece01609e 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md
@@ -1239,12 +1239,6 @@ The following Sekoia.io built-in rules match the intake **WithSecure Elements**.
- **Effort:** intermediate
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.md
index 8630418628..4ae5be98ec 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.md
@@ -207,12 +207,6 @@ The following Sekoia.io built-in rules match the intake **VMware vCenter**. This
- **Effort:** master
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md
index cf8bb0677f..53398508cd 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md
@@ -1269,12 +1269,6 @@ The following Sekoia.io built-in rules match the intake **Trend Micro Apex One**
- **Effort:** intermediate
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md
index 36a1ea7d4d..e31201c321 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md
@@ -1221,12 +1221,6 @@ The following Sekoia.io built-in rules match the intake **Cybereason EDR activit
- **Effort:** intermediate
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.md
index 9d2760d4be..11decfc8c3 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.md
@@ -87,12 +87,6 @@ The following Sekoia.io built-in rules match the intake **ExtraHop Reveal(x) 360
- **Effort:** master
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md
index 6f4f9252ab..84ea578e17 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md
@@ -555,12 +555,6 @@ The following Sekoia.io built-in rules match the intake **RSA SecurID**. This do
- **Effort:** intermediate
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md
index 50be4d6fa6..b537b0a17e 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md
@@ -1641,12 +1641,6 @@ The following Sekoia.io built-in rules match the intake **Azure Windows**. This
- **Effort:** master
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.md
index 4542591aeb..f357c37ec6 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.md
@@ -87,12 +87,6 @@ The following Sekoia.io built-in rules match the intake **Azure Network Watcher*
- **Effort:** master
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md
index 3890be93f8..5181702eb6 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md
@@ -1743,12 +1743,6 @@ The following Sekoia.io built-in rules match the intake **HarfangLab EDR**. This
- **Effort:** master
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.md
index 580fc03dcd..7578c9b91d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.md
@@ -153,12 +153,6 @@ The following Sekoia.io built-in rules match the intake **Sophos EDR**. This doc
- **Effort:** intermediate
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.md
index 307aaf895b..fb62dd290f 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.md
@@ -507,12 +507,6 @@ The following Sekoia.io built-in rules match the intake **Skyhigh Secure Web Gat
- **Effort:** elementary
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.md
index 5bcdd4a163..aa1c6d2136 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.md
@@ -489,12 +489,6 @@ The following Sekoia.io built-in rules match the intake **Cisco Secure Firewall*
- **Effort:** advanced
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.md
index 992598e082..ae5cca5516 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.md
@@ -357,12 +357,6 @@ The following Sekoia.io built-in rules match the intake **Fortinet FortiGate**.
- **Effort:** elementary
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.md
index ad78537598..e1f970cd22 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.md
@@ -81,12 +81,6 @@ The following Sekoia.io built-in rules match the intake **Lacework Cloud Securit
- **Effort:** master
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md
index 7534683f84..bc15af41cc 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md
@@ -1203,12 +1203,6 @@ The following Sekoia.io built-in rules match the intake **Cisco NX-OS**. This do
- **Effort:** intermediate
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.md
index 8b9c33fda7..01933acd4c 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.md
@@ -81,12 +81,6 @@ The following Sekoia.io built-in rules match the intake **Cisco IOS router and s
- **Effort:** master
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.md
index 6dac1fab8a..c1f7da56f6 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.md
@@ -147,12 +147,6 @@ The following Sekoia.io built-in rules match the intake **Ivanti / Pulse Connect
- **Effort:** advanced
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md
index 81bfd2f56e..4560492004 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md
@@ -1215,12 +1215,6 @@ The following Sekoia.io built-in rules match the intake **TEHTRIS EDR**. This do
- **Effort:** intermediate
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md
index caf7b5b674..aef4eb60f7 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md
@@ -1401,12 +1401,6 @@ The following Sekoia.io built-in rules match the intake **Sophos Analysis Threat
- **Effort:** intermediate
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.md
index 9edcf90ae0..802c0ab4d5 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.md
@@ -99,12 +99,6 @@ The following Sekoia.io built-in rules match the intake **Claroty xDome**. This
- **Effort:** advanced
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.md
index b1017472dd..fe70268d96 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.md
@@ -225,12 +225,6 @@ The following Sekoia.io built-in rules match the intake **Cybereason EDR**. This
- **Effort:** master
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.md
index 8899b9b681..485cfa0d81 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.md
@@ -855,12 +855,6 @@ The following Sekoia.io built-in rules match the intake **F5 BIG-IP**. This docu
- **Effort:** intermediate
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md
index f02f978b05..6a8e8bb97d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md
@@ -1935,12 +1935,6 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**.
- **Effort:** master
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.md
index 3ea27db6b3..3d89b6af9e 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.md
@@ -63,6 +63,12 @@ The following Sekoia.io built-in rules match the intake **Fastly Next-Gen WAF Au
- **Effort:** master
+??? abstract "Fastly Next-Gen WAF Audit Threat Alert"
+
+ Forward a threat detection made by Fastly Next-Gen WAF Audit Logs
+
+ - **Effort:** master
+
??? abstract "Koadic MSHTML Command"
Detects Koadic payload using MSHTML module
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md
index 4669517a75..48d0b72fdc 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md
@@ -507,12 +507,6 @@ The following Sekoia.io built-in rules match the intake **Microsoft 365 / Office
- **Effort:** elementary
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.md
index 1f12d40534..e8862e363d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.md
@@ -321,12 +321,6 @@ The following Sekoia.io built-in rules match the intake **Salesforce**. This doc
- **Effort:** master
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.md
index 930961a5c8..f6af632f2b 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.md
@@ -381,12 +381,6 @@ The following Sekoia.io built-in rules match the intake **AWS CloudTrail**. This
- **Effort:** master
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.md
index deb2a1227d..f3089146b3 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.md
@@ -123,12 +123,6 @@ The following Sekoia.io built-in rules match the intake **WatchGuard Firebox**.
- **Effort:** advanced
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md
index c578e5ce3e..2430f86696 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md
@@ -1137,12 +1137,6 @@ The following Sekoia.io built-in rules match the intake **IBM AIX**. This docume
- **Effort:** intermediate
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md
index fcf71a9f66..df6aa6b85c 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md
@@ -447,12 +447,6 @@ The following Sekoia.io built-in rules match the intake **SonicWall Firewall**.
- **Effort:** advanced
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.md
index 2fd7f18dcc..7454299ec3 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.md
@@ -147,12 +147,6 @@ The following Sekoia.io built-in rules match the intake **Windows Log Insight**.
- **Effort:** master
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.md
index ecb5c6d423..c3580a5c58 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.md
@@ -273,12 +273,6 @@ The following Sekoia.io built-in rules match the intake **Check Point NGFW**. Th
- **Effort:** elementary
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.md
index 3cfb4759ee..139236bb95 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.md
@@ -255,12 +255,6 @@ The following Sekoia.io built-in rules match the intake **Forcepoint Secure Web
- **Effort:** advanced
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md
index 2141788760..56e1f733d3 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md
@@ -1641,12 +1641,6 @@ The following Sekoia.io built-in rules match the intake **Stormshield SES**. Thi
- **Effort:** master
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md
index ae4564f65b..561bf44f08 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.md
@@ -267,12 +267,6 @@ The following Sekoia.io built-in rules match the intake **IBM iSeries [BETA]**.
- **Effort:** master
-??? abstract "User Account Created"
-
- Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account `defaultuser0` is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
-
- - **Effort:** master
-
??? abstract "User Account Deleted"
Detects local user deletion
diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
index 720a4fd9ee..69f9d806e6 100644
--- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md
+++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
@@ -1,6 +1,6 @@
# Built-in detection rules, EventIDs and EventProviders relations
SEKOIA.IO provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture.
-This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-07-08_
+This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-07-10_
The colors of the EventIDs in this page should be interpreted as follow:
@@ -12,585 +12,582 @@ The colors of the EventIDs in this page should be interpreted as follow:
## Rules x Effort Level x EventIDs x Event Providers
| Rule Name | Effort Level | EventIDs | Event Providers |
| --------- | ------------ | -------- | --------------- |
-| xWizard Execution | master | 1 | Kernel-Process |
-| Microsoft Defender Antivirus History Deleted | master | 1013 | Microsoft-Windows-Windows Defender |
-| DNS Server Error Failed Loading The ServerLevelPluginDLL | master | 150 | Microsoft-Windows-DNS-Server-Service |
-| Tenable Identity Exposure / Alsid Critical Severity Alert | master | 83820799 | |
-| User Account Created | master | 4720 | Microsoft-Windows-Security-Auditing |
-| Tenable Identity Exposure / Alsid High Severity Alert | master | 79016668 | |
+| Advanced IP Scanner | master | 1 | Microsoft-Windows-Sysmon |
| Abusing Azure Browser SSO | master | 7 | Microsoft-Windows-Sysmon |
+| Suspicious Access To Sensitive File Extensions | master | 5145 | Microsoft-Windows-Security-Auditing |
+| Suspicious PsExec Execution | master | 5145 | Microsoft-Windows-Security-Auditing |
+| Svchost DLL Search Order Hijack | master | 7 | Microsoft-Windows-Sysmon |
+| Microsoft Defender for Office 365 High Severity AIR Alert | master | 64 | |
+| In-memory PowerShell | master | 7 | Microsoft-Windows-Sysmon |
+| Process Herpaderping | master | 25 | Microsoft-Windows-Sysmon |
+| File Or Folder Permissions Modifications | master | 1 | Microsoft-Windows-Sysmon |
+| FromBase64String Command Line | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Configuration Changed | master | 5007 | Microsoft-Windows-Windows Defender |
+| Privileged AD Builtin Group Modified | master | 4728 | Microsoft-Windows-Security-Auditing |
| Remote Registry Management Using Reg Utility | master | 5145 | Microsoft-Windows-Security-Auditing |
-| Process Hollowing Detection | master | 25 | Microsoft-Windows-Sysmon |
-| Outlook Registry Access | master | 1 | Microsoft-Windows-Sysmon |
-| Sysmon Windows File Block Executable | master | 27 | Microsoft-Windows-Sysmon |
-| Cobalt Strike Named Pipes | master | 17 | Microsoft-Windows-Sysmon |
+| User Couldn't Call A Privileged Service LsaRegisterLogonProcess | master | 4673 | Microsoft-Windows-Security-Auditing |
+| Network Share Discovery | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Admin Share Access | master | 5140 | Microsoft-Windows-Security-Auditing |
+| Suspicious Microsoft Defender Antivirus Exclusion Command | master | 1 | Microsoft-Windows-Sysmon |
| Execution From Suspicious Folder | master | 1 | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Disable Using Registry | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| MS Office Product Spawning Exe in User Dir | master | 1 | Microsoft-Windows-Sysmon |
-| Microsoft 365 Device Code Authentication | master | 15 | |
+| Registry Checked For Lanmanserver DisableCompression Parameter | master | 4663 | Microsoft-Windows-Security-Auditing |
+| NjRat Registry Changes | master | 1, 13 | Kernel-Process, Microsoft-Windows-Sysmon |
+| FoggyWeb Backdoor DLL Loading | master | 7 | Microsoft-Windows-Sysmon |
+| Account Removed From A Security Enabled Group | master | 4729 | Microsoft-Windows-Security-Auditing |
+| Admin User RDP Remote Logon | master | 4624 | Microsoft-Windows-Security-Auditing |
+| Webshell Creation | master | 11 | Microsoft-Windows-Sysmon |
+| Microsoft 365 (Office 365) Potential Ransomware Activity Detected | master | 40 | |
+| Process Hollowing Detection | master | 25 | Microsoft-Windows-Sysmon |
+| WMI DLL Loaded Via Office | master | 7 | Microsoft-Windows-Sysmon |
| Narrator Feedback-Hub Persistence | master | 13 | Microsoft-Windows-Sysmon |
-| LSASS Memory Dump | master | 10 | Microsoft-Windows-Sysmon |
| Putty Sessions Listing | master | 1, 4663 | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
-| File Or Folder Permissions Modifications | master | 1 | Microsoft-Windows-Sysmon |
-| Suspicious DLL Loaded Via Office Applications | master | 7 | Microsoft-Windows-Sysmon |
-| Microsoft 365 (Office 365) MCAS Detection Velocity | master | 98 | |
-| WMI DLL Loaded Via Office | master | 7 | Microsoft-Windows-Sysmon |
-| SCM Database Privileged Operation | master | 4674 | Microsoft-Windows-Security-Auditing |
-| Netsh Port Opening | master | 1 | Microsoft-Windows-Sysmon |
-| TOR Usage Generic Rule | master | 3 | Microsoft-Windows-Sysmon |
-| Failed Logon Followed By A Success From Public IP Addresses | master | 4625 | Microsoft-Windows-Security-Auditing |
-| In-memory PowerShell | master | 7 | Microsoft-Windows-Sysmon |
-| Microsoft 365 (Office 365) MCAS New Country | master | 98 | |
-| Windows Firewall Changes | master | 1 | Microsoft-Windows-Sysmon |
-| DNS ServerLevelPluginDll Installation | master | 1, 13 | Microsoft-Windows-Sysmon |
-| Microsoft Defender for Office 365 Medium Severity AIR Alert | master | 64 | |
-| Data Compressed With Rar | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action | master | 64 | |
+| Computer Account Deleted | master | 4743 | Microsoft-Windows-Security-Auditing |
+| CVE-2017-11882 Microsoft Office Equation Editor Vulnerability | master | 3 | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus History Deleted | master | 1013 | Microsoft-Windows-Windows Defender |
+| Microsoft Office Creating Suspicious File | master | 11 | Microsoft-Windows-Sysmon |
| Malware Persistence Registry Key | master | 1, 13 | Microsoft-Windows-Sysmon |
-| WMIC Loading Scripting Libraries | master | 7 | Microsoft-Windows-Sysmon |
-| Privileged AD Builtin Group Modified | master | 4728 | Microsoft-Windows-Security-Auditing |
-| CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv | master | 7, 11 | Microsoft-Windows-Sysmon |
-| AD Privileged Users Or Groups Reconnaissance | master | 4661 | Microsoft-Windows-Security-Auditing |
-| Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys | master | 13 | Microsoft-Windows-Sysmon |
+| Remote Monitoring and Management Software - AnyDesk | master | 1, 22 | Kernel-Process, Microsoft-Windows-DNS-Client |
+| AD User Enumeration | master | 4662 | Microsoft-Windows-Security-Auditing |
+| Rebooting | master | 1 | Kernel-Process |
+| Remote Monitoring and Management Software - Atera | master | 13 | Microsoft-Windows-Sysmon |
| Protected Storage Service Access | master | 5145 | Microsoft-Windows-Security-Auditing |
-| FoggyWeb Backdoor DLL Loading | master | 7 | Microsoft-Windows-Sysmon |
-| SCM Database Handle Failure | master | 4656 | Microsoft-Windows-Security-Auditing |
-| Suspicious PsExec Execution | master | 5145 | Microsoft-Windows-Security-Auditing |
-| Suspicious New Printer Ports In Registry | master | 13 | Microsoft-Windows-Sysmon |
-| Net.exe User Account Creation | master | 1 | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Configuration Changed | master | 5007 | Microsoft-Windows-Windows Defender |
-| Svchost DLL Search Order Hijack | master | 7 | Microsoft-Windows-Sysmon |
-| Account Added To A Security Enabled Group | master | 4728 | Microsoft-Windows-Security-Auditing |
-| Microsoft 365 (Office 365) Potential Ransomware Activity Detected | master | 40 | |
-| Microsoft Defender for Office 365 High Severity AIR Alert | master | 64 | |
-| FromBase64String Command Line | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Microsoft 365 (Office 365) MCAS Repeated Failed Login | master | 98 | |
+| Usage Of Sysinternals Tools | master | 1, 13 | Microsoft-Windows-Sysmon |
+| List Shadow Copies | master | 4104 | Microsoft-Windows-PowerShell |
| Microsoft 365 (Office 365) MCAS Inbox Hiding | master | 98 | |
-| Remote Monitoring and Management Software - Atera | master | 13 | Microsoft-Windows-Sysmon |
-| Rebooting | master | 1 | Kernel-Process |
-| User Account Deleted | master | 4726 | Microsoft-Windows-Security-Auditing |
-| Microsoft Office Creating Suspicious File | master | 11 | Microsoft-Windows-Sysmon |
-| LSASS Access From Non System Account | master | 4656 | Microsoft-Windows-Security-Auditing |
-| NjRat Registry Changes | master | 1, 13 | Kernel-Process, Microsoft-Windows-Sysmon |
-| Autorun Keys Modification | master | 12 | Microsoft-Windows-Sysmon |
-| Computer Account Deleted | master | 4743 | Microsoft-Windows-Security-Auditing |
-| Stop Backup Services | master | 1, 13 | Kernel-Process, Microsoft-Windows-Sysmon |
-| Webshell Creation | master | 11 | Microsoft-Windows-Sysmon |
-| Process Herpaderping | master | 25 | Microsoft-Windows-Sysmon |
-| Network Share Discovery | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Suspicious DLL Loaded Via Office Applications | master | 7 | Microsoft-Windows-Sysmon |
+| WMIC Loading Scripting Libraries | master | 7 | Microsoft-Windows-Sysmon |
+| SCM Database Handle Failure | master | 4656 | Microsoft-Windows-Security-Auditing |
| Microsoft Defender Antivirus Exclusion Configuration | master | 13, 5007 | Microsoft-Windows-Sysmon, Microsoft-Windows-Windows Defender |
-| Credential Dumping-Tools Common Named Pipes | master | 17 | Microsoft-Windows-Sysmon |
-| PowerShell Malicious PowerShell Commandlets | master | 4104 | Microsoft-Windows-PowerShell |
-| Account Removed From A Security Enabled Group | master | 4729 | Microsoft-Windows-Security-Auditing |
-| User Added to Local Administrators | master | 4732 | Microsoft-Windows-Security-Auditing |
-| AD User Enumeration | master | 4662 | Microsoft-Windows-Security-Auditing |
-| Admin Share Access | master | 5140 | Microsoft-Windows-Security-Auditing |
| Windows Defender Deactivation Using PowerShell Script | master | 4104 | Microsoft-Windows-PowerShell |
-| Microsoft 365 (Office 365) MCAS Risky IP | master | 98 | |
-| Suspicious Microsoft Defender Antivirus Exclusion Command | master | 1 | Microsoft-Windows-Sysmon |
-| Microsoft 365 (Office 365) MCAS Repeated Delete | master | 98 | |
+| Microsoft 365 Device Code Authentication | master | 15 | |
+| Microsoft Defender Antivirus Disable Using Registry | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| TOR Usage Generic Rule | master | 3 | Microsoft-Windows-Sysmon |
+| User Account Deleted | master | 4726 | Microsoft-Windows-Security-Auditing |
+| Microsoft Defender for Office 365 Medium Severity AIR Alert | master | 64 | |
+| Account Added To A Security Enabled Group | master | 4728 | Microsoft-Windows-Security-Auditing |
+| Windows Registry Persistence COM Key Linking | master | 1, 13 | Microsoft-Windows-Sysmon |
+| Microsoft 365 (Office 365) MCAS New Country | master | 98 | |
+| Outlook Registry Access | master | 1 | Microsoft-Windows-Sysmon |
+| Tenable Identity Exposure / Alsid Critical Severity Alert | master | 83820799 | |
+| User Added to Local Administrators | master | 4732 | Microsoft-Windows-Security-Auditing |
| Remote Service Activity Via SVCCTL Named Pipe | master | 5145 | Microsoft-Windows-Security-Auditing |
-| Suspicious Access To Sensitive File Extensions | master | 5145 | Microsoft-Windows-Security-Auditing |
-| List Shadow Copies | master | 4104 | Microsoft-Windows-PowerShell |
-| Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically | master | 64 | |
-| User Couldn't Call A Privileged Service LsaRegisterLogonProcess | master | 4673 | Microsoft-Windows-Security-Auditing |
-| Usage Of Sysinternals Tools | master | 1, 13 | Microsoft-Windows-Sysmon |
+| PowerShell Malicious PowerShell Commandlets | master | 4104 | Microsoft-Windows-PowerShell |
+| Suspicious New Printer Ports In Registry | master | 13 | Microsoft-Windows-Sysmon |
| Rubeus Register New Logon Process | master | 4611 | Microsoft-Windows-Security-Auditing |
-| Registry Checked For Lanmanserver DisableCompression Parameter | master | 4663 | Microsoft-Windows-Security-Auditing |
+| Net.exe User Account Creation | master | 1 | Microsoft-Windows-Sysmon |
+| AD Privileged Users Or Groups Reconnaissance | master | 4661 | Microsoft-Windows-Security-Auditing |
+| Autorun Keys Modification | master | 12 | Microsoft-Windows-Sysmon |
+| LSASS Memory Dump | master | 10 | Microsoft-Windows-Sysmon |
+| Cobalt Strike Named Pipes | master | 17 | Microsoft-Windows-Sysmon |
+| Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically | master | 64 | |
+| Windows Firewall Changes | master | 1 | Microsoft-Windows-Sysmon |
+| Failed Logon Followed By A Success From Public IP Addresses | master | 4625 | Microsoft-Windows-Security-Auditing |
| Disable Security Events Logging Adding Reg Key MiniNt | master | 13 | Microsoft-Windows-Sysmon |
-| Admin User RDP Remote Logon | master | 4624 | Microsoft-Windows-Security-Auditing |
+| Tenable Identity Exposure / Alsid High Severity Alert | master | 79016668 | |
+| MS Office Product Spawning Exe in User Dir | master | 1 | Microsoft-Windows-Sysmon |
+| DNS Server Error Failed Loading The ServerLevelPluginDLL | master | 150 | Microsoft-Windows-DNS-Server-Service |
| Potential RDP Connection To Non-Domain Host | master | 8001 | Microsoft-Windows-NTLM |
-| Microsoft 365 (Office 365) MCAS Repeated Failed Login | master | 98 | |
-| CVE-2017-11882 Microsoft Office Equation Editor Vulnerability | master | 3 | Microsoft-Windows-Sysmon |
-| Remote Monitoring and Management Software - AnyDesk | master | 1, 22 | Kernel-Process, Microsoft-Windows-DNS-Client |
-| Advanced IP Scanner | master | 1 | Microsoft-Windows-Sysmon |
-| Windows Registry Persistence COM Key Linking | master | 1, 13 | Microsoft-Windows-Sysmon |
-| PowerView commandlets 1 | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Logonui Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| Winlogon wrong parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| Domain Group And Permission Enumeration | advanced | 1 | Microsoft-Windows-Sysmon |
-| NTDS.dit File In Suspicious Directory | advanced | 11 | Microsoft-Windows-Sysmon |
-| Active Directory Replication from Non Machine Account | advanced | 4662 | Microsoft-Windows-Security-Auditing |
-| Malicious PowerShell Keywords | advanced | 4104 | Microsoft-Windows-PowerShell |
-| Suspicious Control Process | advanced | 1 | Microsoft-Windows-Sysmon |
-| Non-Legitimate Executable Using AcceptEula Parameter | advanced | 3, 5 | Kernel-Process, Microsoft-Windows-Kernel-Process |
-| Taskhost or Taskhostw Suspicious Child Found | advanced | 1 | Microsoft-Windows-Sysmon |
-| RDP Session Discovery | advanced | 1 | Microsoft-Windows-Sysmon |
-| Load Of dbghelp/dbgcore DLL From Suspicious Process | advanced | 7 | Microsoft-Windows-Sysmon |
-| Svchost Wrong Parent | advanced | 4688 | Microsoft-Windows-Security-Auditing |
-| Powershell Web Request | advanced | 1 | Microsoft-Windows-Sysmon |
-| Wmiprvse Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| Rclone Process | advanced | 1 | Microsoft-Windows-Sysmon |
-| Searchindexer Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| CreateRemoteThread Common Process Injection | advanced | 8 | Microsoft-Windows-Sysmon |
-| Python Opening Ports | advanced | 5154 | Microsoft-Windows-Security-Auditing |
-| Domain Trust Created Or Removed | advanced | 4706, 4707 | Microsoft-Windows-Security-Auditing |
-| PowerShell Malicious Nishang PowerShell Commandlets | advanced | 4104 | Microsoft-Windows-PowerShell |
-| WMIC Command To Determine The Antivirus | advanced | 1, 5, 4104 | Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| PowerShell Commands Invocation | advanced | 1 | Kernel-Process |
-| Cmd.exe Used To Run Reconnaissance Commands | advanced | 1 | Microsoft-Windows-Sysmon |
-| WMI Persistence Script Event Consumer File Write | advanced | 11 | Microsoft-Windows-Sysmon |
+| xWizard Execution | master | 1 | Kernel-Process |
+| Credential Dumping-Tools Common Named Pipes | master | 17 | Microsoft-Windows-Sysmon |
+| SCM Database Privileged Operation | master | 4674 | Microsoft-Windows-Security-Auditing |
+| Microsoft 365 (Office 365) MCAS Risky IP | master | 98 | |
+| DNS ServerLevelPluginDll Installation | master | 1, 13 | Microsoft-Windows-Sysmon |
+| Sysmon Windows File Block Executable | master | 27 | Microsoft-Windows-Sysmon |
+| Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys | master | 13 | Microsoft-Windows-Sysmon |
+| Microsoft 365 (Office 365) MCAS Repeated Delete | master | 98 | |
+| Microsoft 365 (Office 365) MCAS Detection Velocity | master | 98 | |
+| Netsh Port Opening | master | 1 | Microsoft-Windows-Sysmon |
+| Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action | master | 64 | |
+| Stop Backup Services | master | 1, 13 | Kernel-Process, Microsoft-Windows-Sysmon |
+| User Account Created | master | 4720 | Microsoft-Windows-Security-Auditing |
+| LSASS Access From Non System Account | master | 4656 | Microsoft-Windows-Security-Auditing |
+| CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv | master | 7, 11 | Microsoft-Windows-Sysmon |
| OneNote Suspicious Children Process | advanced | 1, 15 | Microsoft-Windows-Sysmon |
-| WMI Event Subscription | advanced | 21 | Microsoft-Windows-Sysmon |
-| Control Panel Items | advanced | 1 | Microsoft-Windows-Sysmon |
-| Exploit For CVE-2017-0261 Or CVE-2017-0262 | advanced | 1 | Microsoft-Windows-Sysmon |
-| Suspicious XOR Encoded PowerShell Command Line | advanced | 4104 | Microsoft-Windows-PowerShell |
-| Winrshost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| PowerShell Download From URL | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Webshell Execution W3WP Process | advanced | 1 | Microsoft-Windows-Sysmon |
| Lsass Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| Logon Scripts (UserInitMprLogonScript) | advanced | 1, 13 | Microsoft-Windows-Sysmon |
-| Legitimate Process Execution From Unusual Folder | advanced | 1 | Microsoft-Windows-Sysmon |
-| Unsigned Image Loaded Into LSASS Process | advanced | 7 | Microsoft-Windows-Sysmon |
-| Dllhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| Winword wrong parent | advanced | 4688 | Microsoft-Windows-Security-Auditing |
-| Searchprotocolhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| Account Tampering - Suspicious Failed Logon Reasons | advanced | 4625 | Microsoft-Windows-Security-Auditing |
-| Adexplorer Usage | advanced | 1 | Microsoft-Windows-Sysmon |
-| Telegram Bot API Request | advanced | 22 | Microsoft-Windows-Sysmon |
-| PowerShell Invoke-Obfuscation Obfuscated IEX Invocation | advanced | 4104 | Microsoft-Windows-PowerShell |
-| Metasploit PSExec Service Creation | advanced | 7045 | Service Control Manager |
-| Lateral Movement Remote Named Pipe | advanced | 5145 | Microsoft-Windows-Security-Auditing |
-| PowerShell EncodedCommand | advanced | 1 | Microsoft-Windows-Sysmon |
-| PowerShell Credential Prompt | advanced | 4104 | Microsoft-Windows-PowerShell |
+| RDP Session Discovery | advanced | 1 | Microsoft-Windows-Sysmon |
| Alternate PowerShell Hosts Pipe | advanced | 17 | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Tampering Detected | advanced | 1127 | Microsoft-Windows-Windows Defender |
-| Wininit Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| Exfiltration Via Pscp | advanced | 1 | Microsoft-Windows-Sysmon |
+| Credentials Extraction | advanced | 1 | Kernel-Process |
| Spoolsv Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Threat Detected | advanced | 1116 | Microsoft-Windows-Windows Defender |
-| AutoIt3 Execution From Suspicious Folder | advanced | 5 | Kernel-Process |
-| Csrss Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| Wmic Suspicious Commands | advanced | 5 | Kernel-Process |
-| New Service Creation | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Dynwrapx Module Loading | advanced | 7 | Microsoft-Windows-Sysmon |
-| Rare Logonui Child Found | advanced | 1 | Microsoft-Windows-Sysmon |
-| PowerShell Data Compressed | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| RDP Login From Localhost | advanced | 4624 | Microsoft-Windows-Security-Auditing |
-| NlTest Usage | advanced | 1 | Microsoft-Windows-Sysmon |
-| Permission Discovery Via Wmic | advanced | 1 | Microsoft-Windows-Sysmon |
-| RDP Sensitive Settings Changed | advanced | 13 | Microsoft-Windows-Sysmon |
-| System Network Connections Discovery | advanced | 1 | Microsoft-Windows-Sysmon |
-| Disabled IE Security Features | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Suspicious Outbound Kerberos Connection | advanced | 5156 | Microsoft-Windows-Security-Auditing |
-| AccCheckConsole Executing Dll | advanced | 5 | Kernel-Process |
-| PowerView commandlets 2 | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Taskhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| Explorer Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| PowerShell NTFS Alternate Data Stream | advanced | 4104 | Microsoft-Windows-PowerShell |
| PowerShell AMSI Deactivation Bypass Using .NET Reflection | advanced | 4104 | Microsoft-Windows-PowerShell |
+| Account Tampering - Suspicious Failed Logon Reasons | advanced | 4625 | Microsoft-Windows-Security-Auditing |
+| External Disk Drive Or USB Storage Device | advanced | 6416 | Microsoft-Windows-Security-Auditing |
+| Svchost Wrong Parent | advanced | 4688 | Microsoft-Windows-Security-Auditing |
+| Exfiltration And Tunneling Tools Execution | advanced | 1 | Microsoft-Windows-Sysmon |
+| Permission Discovery Via Wmic | advanced | 1 | Microsoft-Windows-Sysmon |
+| Rclone Process | advanced | 1 | Microsoft-Windows-Sysmon |
| Compress Data for Exfiltration via Archiver | advanced | 5 | Kernel-Process |
-| Userinit Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| Microsoft Windows Active Directory Module Commandlets | advanced | 4104 | Microsoft-Windows-PowerShell |
-| AD Object WriteDAC Access | advanced | 4662 | Microsoft-Windows-Security-Auditing |
+| Microsoft Office Product Spawning Windows Shell | advanced | 1 | Microsoft-Windows-Sysmon |
+| Change Default File Association | advanced | 1 | Microsoft-Windows-Sysmon |
+| Suspicious Control Process | advanced | 1 | Microsoft-Windows-Sysmon |
+| Logonui Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
+| Winrshost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
+| Load Of dbghelp/dbgcore DLL From Suspicious Process | advanced | 7 | Microsoft-Windows-Sysmon |
+| Active Directory Replication User Backdoor | advanced | 5136 | Microsoft-Windows-Security-Auditing |
+| Svchost Modification | advanced | 13 | Microsoft-Windows-Sysmon |
+| Netsh Program Allowed With Suspicious Location | advanced | 1 | Microsoft-Windows-Sysmon |
+| WMIC Command To Determine The Antivirus | advanced | 1, 5, 4104 | Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Powershell Web Request | advanced | 1 | Microsoft-Windows-Sysmon |
+| XCopy Suspicious Usage | advanced | 1 | Microsoft-Windows-Sysmon |
| ACLight Discovering Privileged Accounts | advanced | 4103 | Microsoft-Windows-PowerShell |
-| Suspicious Windows DNS Queries | advanced | 22 | Microsoft-Windows-Sysmon |
-| Dism Disabling Windows Defender | advanced | 1 | Kernel-Process |
-| Component Object Model Hijacking | advanced | 23 | Microsoft-Windows-Kernel-File |
-| Remote System Discovery Via Telnet | advanced | 5 | Kernel-Process |
+| Suspicious PROCEXP152.sys File Created In Tmp | advanced | 11 | Microsoft-Windows-Sysmon |
+| Suspicious Cmd.exe Command Line | advanced | 1 | Microsoft-Windows-Sysmon |
+| Default Encoding To UTF-8 PowerShell | advanced | 1 | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Threat Detected | advanced | 1116 | Microsoft-Windows-Windows Defender |
+| Windows Registry Persistence COM Search Order Hijacking | advanced | 13 | Microsoft-Windows-Sysmon |
+| Adidnsdump Enumeration | advanced | 11, 4688 | Microsoft-Windows-Kernel-File, Microsoft-Windows-Security-Auditing |
| Powershell AMSI Bypass | advanced | 4104 | Microsoft-Windows-PowerShell |
-| Smss Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| Svchost Modification | advanced | 13 | Microsoft-Windows-Sysmon |
-| Suspicious Regasm Regsvcs Usage | advanced | 1 | Kernel-Process |
-| Taskhostw Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
+| PowerShell NTFS Alternate Data Stream | advanced | 4104 | Microsoft-Windows-PowerShell |
+| PowerShell EncodedCommand | advanced | 1 | Microsoft-Windows-Sysmon |
+| AD Object WriteDAC Access | advanced | 4662 | Microsoft-Windows-Security-Auditing |
+| WMI Persistence Script Event Consumer File Write | advanced | 11 | Microsoft-Windows-Sysmon |
+| Suspicious Windows DNS Queries | advanced | 22 | Microsoft-Windows-Sysmon |
+| Cmd.exe Used To Run Reconnaissance Commands | advanced | 1 | Microsoft-Windows-Sysmon |
+| NlTest Usage | advanced | 1 | Microsoft-Windows-Sysmon |
+| Suspicious Outbound Kerberos Connection | advanced | 5156 | Microsoft-Windows-Security-Auditing |
+| PowerShell Download From URL | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Malicious PowerShell Keywords | advanced | 4104 | Microsoft-Windows-PowerShell |
+| Microsoft Windows Active Directory Module Commandlets | advanced | 4104 | Microsoft-Windows-PowerShell |
+| Winword wrong parent | advanced | 4688 | Microsoft-Windows-Security-Auditing |
+| Non-Legitimate Executable Using AcceptEula Parameter | advanced | 3, 5 | Kernel-Process, Microsoft-Windows-Kernel-Process |
+| RDP Sensitive Settings Changed | advanced | 13 | Microsoft-Windows-Sysmon |
+| Wininit Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
+| Taskhost or Taskhostw Suspicious Child Found | advanced | 1 | Microsoft-Windows-Sysmon |
+| Netsh Allow Command | advanced | 1 | Microsoft-Windows-Sysmon |
+| Winlogon wrong parent | advanced | 1 | Microsoft-Windows-Sysmon |
| Suspicious ADSI-Cache Usage By Unknown Tool | advanced | 11 | Microsoft-Windows-Sysmon |
-| Hiding Files With Attrib.exe | advanced | 1 | Microsoft-Windows-Sysmon |
-| WiFi Credentials Harvesting Using Netsh | advanced | 1 | Microsoft-Windows-Sysmon |
-| Suspicious Cmd.exe Command Line | advanced | 1 | Microsoft-Windows-Sysmon |
+| Mimikatz LSASS Memory Access | advanced | 10 | Microsoft-Windows-Sysmon |
+| Wmiprvse Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
+| CreateRemoteThread Common Process Injection | advanced | 8 | Microsoft-Windows-Sysmon |
+| PowerShell Credential Prompt | advanced | 4104 | Microsoft-Windows-PowerShell |
+| Suspicious PowerShell Keywords | advanced | 4104 | Microsoft-Windows-PowerShell |
+| Control Panel Items | advanced | 1 | Microsoft-Windows-Sysmon |
| Rubeus Tool Command-line | advanced | 1 | Microsoft-Windows-Sysmon |
-| Change Default File Association | advanced | 1 | Microsoft-Windows-Sysmon |
-| Adidnsdump Enumeration | advanced | 11, 4688 | Microsoft-Windows-Kernel-File, Microsoft-Windows-Security-Auditing |
+| PowerView commandlets 1 | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Disabled IE Security Features | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Explorer Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
+| Suspicious Regsvr32 Execution | advanced | 1 | Microsoft-Windows-Sysmon |
+| Active Directory Replication from Non Machine Account | advanced | 4662 | Microsoft-Windows-Security-Auditing |
+| Rare Logonui Child Found | advanced | 1 | Microsoft-Windows-Sysmon |
+| Telegram Bot API Request | advanced | 22 | Microsoft-Windows-Sysmon |
+| Suspicious PrinterPorts Creation (CVE-2020-1048) | advanced | 10 | Microsoft-Windows-Sysmon |
+| Suspicious desktop.ini Action | advanced | 15 | Microsoft-Windows-Sysmon |
+| AutoIt3 Execution From Suspicious Folder | advanced | 5 | Kernel-Process |
+| Exfiltration Via Pscp | advanced | 1 | Microsoft-Windows-Sysmon |
| AzureEdge in Command Line | advanced | 5 | Kernel-Process |
-| Compression Followed By Suppression | advanced | 5 | Kernel-Process |
-| SAM Registry Hive Handle Request | advanced | 4656 | Microsoft-Windows-Security-Auditing |
-| Suspicious PowerShell Keywords | advanced | 4104 | Microsoft-Windows-PowerShell |
+| Suspicious Regasm Regsvcs Usage | advanced | 1 | Kernel-Process |
| Certify Or Certipy | advanced | 5 | Kernel-Process |
-| PsExec Process | advanced | 13, 7045 | Microsoft-Windows-Sysmon, Service Control Manager |
-| Netsh Allow Command | advanced | 1 | Microsoft-Windows-Sysmon |
+| System Network Connections Discovery | advanced | 1 | Microsoft-Windows-Sysmon |
| FLTMC command usage | advanced | 5 | Kernel-Process |
-| Active Directory Replication User Backdoor | advanced | 5136 | Microsoft-Windows-Security-Auditing |
-| Suspicious PROCEXP152.sys File Created In Tmp | advanced | 11 | Microsoft-Windows-Sysmon |
+| WMI Event Subscription | advanced | 21 | Microsoft-Windows-Sysmon |
+| Dynwrapx Module Loading | advanced | 7 | Microsoft-Windows-Sysmon |
+| WiFi Credentials Harvesting Using Netsh | advanced | 1 | Microsoft-Windows-Sysmon |
+| Hiding Files With Attrib.exe | advanced | 1 | Microsoft-Windows-Sysmon |
+| Compression Followed By Suppression | advanced | 5 | Kernel-Process |
+| Python Opening Ports | advanced | 5154 | Microsoft-Windows-Security-Auditing |
+| Logon Scripts (UserInitMprLogonScript) | advanced | 1, 13 | Microsoft-Windows-Sysmon |
+| Exploit For CVE-2017-0261 Or CVE-2017-0262 | advanced | 1 | Microsoft-Windows-Sysmon |
+| Domain Trust Created Or Removed | advanced | 4706, 4707 | Microsoft-Windows-Security-Auditing |
+| Adexplorer Usage | advanced | 1 | Microsoft-Windows-Sysmon |
+| AccCheckConsole Executing Dll | advanced | 5 | Kernel-Process |
+| NTDS.dit File In Suspicious Directory | advanced | 11 | Microsoft-Windows-Sysmon |
+| PowerView commandlets 2 | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| Suspicious Double Extension | advanced | 5 | Microsoft-Windows-Sysmon |
+| New Service Creation | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Taskhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
+| PowerShell Malicious Nishang PowerShell Commandlets | advanced | 4104 | Microsoft-Windows-PowerShell |
| Wsmprovhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
-| Suspicious Regsvr32 Execution | advanced | 1 | Microsoft-Windows-Sysmon |
-| External Disk Drive Or USB Storage Device | advanced | 6416 | Microsoft-Windows-Security-Auditing |
-| Exfiltration And Tunneling Tools Execution | advanced | 1 | Microsoft-Windows-Sysmon |
-| Microsoft Office Product Spawning Windows Shell | advanced | 1 | Microsoft-Windows-Sysmon |
-| Netsh Program Allowed With Suspicious Location | advanced | 1 | Microsoft-Windows-Sysmon |
-| Suspicious PrinterPorts Creation (CVE-2020-1048) | advanced | 10 | Microsoft-Windows-Sysmon |
-| XCopy Suspicious Usage | advanced | 1 | Microsoft-Windows-Sysmon |
-| Default Encoding To UTF-8 PowerShell | advanced | 1 | Microsoft-Windows-Sysmon |
-| Mimikatz LSASS Memory Access | advanced | 10 | Microsoft-Windows-Sysmon |
-| Windows Registry Persistence COM Search Order Hijacking | advanced | 13 | Microsoft-Windows-Sysmon |
-| Credentials Extraction | advanced | 1 | Kernel-Process |
-| Suspicious desktop.ini Action | advanced | 15 | Microsoft-Windows-Sysmon |
-| MMC20 Lateral Movement | intermediate | 1 | Microsoft-Windows-Sysmon |
-| DCSync Attack | intermediate | 4662 | Microsoft-Windows-Security-Auditing |
-| Explorer Process Executing HTA File | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Backup Catalog Deleted | intermediate | 524 | Microsoft-Windows-Backup |
-| NTDS.dit File Interaction Through Command Line | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Data Compressed With Rar With Password | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Capture a network trace with netsh.exe | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Phosphorus Domain Controller Discovery | intermediate | 4104 | Microsoft-Windows-PowerShell |
-| Copy Of Legitimate System32 Executable | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| NetNTLM Downgrade Attack | intermediate | 13, 4657 | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Disable Scheduled Tasks | intermediate | 1, 4104 | Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Searchindexer Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Tampering Detected | advanced | 1127 | Microsoft-Windows-Windows Defender |
+| Searchprotocolhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
+| Smss Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
+| Dllhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
+| SAM Registry Hive Handle Request | advanced | 4656 | Microsoft-Windows-Security-Auditing |
+| Legitimate Process Execution From Unusual Folder | advanced | 1 | Microsoft-Windows-Sysmon |
+| Webshell Execution W3WP Process | advanced | 1 | Microsoft-Windows-Sysmon |
+| Unsigned Image Loaded Into LSASS Process | advanced | 7 | Microsoft-Windows-Sysmon |
+| Csrss Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
+| Domain Group And Permission Enumeration | advanced | 1 | Microsoft-Windows-Sysmon |
+| Lateral Movement Remote Named Pipe | advanced | 5145 | Microsoft-Windows-Security-Auditing |
+| PowerShell Invoke-Obfuscation Obfuscated IEX Invocation | advanced | 4104 | Microsoft-Windows-PowerShell |
+| PowerShell Commands Invocation | advanced | 1 | Kernel-Process |
+| PsExec Process | advanced | 13, 7045 | Microsoft-Windows-Sysmon, Service Control Manager |
+| PowerShell Data Compressed | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Component Object Model Hijacking | advanced | 23 | Microsoft-Windows-Kernel-File |
+| Remote System Discovery Via Telnet | advanced | 5 | Kernel-Process |
+| Metasploit PSExec Service Creation | advanced | 7045 | Service Control Manager |
+| Dism Disabling Windows Defender | advanced | 1 | Kernel-Process |
+| Userinit Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
+| Suspicious XOR Encoded PowerShell Command Line | advanced | 4104 | Microsoft-Windows-PowerShell |
+| Wmic Suspicious Commands | advanced | 5 | Kernel-Process |
+| Taskhostw Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon |
+| CMSTP Execution | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Usage Of Procdump With Common Arguments | intermediate | 13 | Microsoft-Windows-Sysmon |
+| Impacket Secretsdump.py Tool | intermediate | 5145 | Microsoft-Windows-Security-Auditing |
+| Exploiting SetupComplete.cmd CVE-2019-1378 | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Wmic Service Call | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Process Memory Dump Using Comsvcs | intermediate | 1 | Kernel-Process, Microsoft-Windows-Sysmon |
+| Exchange Mailbox Export | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Suspicious SAM Dump | intermediate | 16 | Microsoft-Windows-Kernel-General |
+| MavInject Process Injection | intermediate | 1 | Microsoft-Windows-Sysmon |
+| RDP Port Change Using Powershell | intermediate | 13, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Suspicious DLL side loading from ProgramData | intermediate | 7 | Microsoft-Windows-Sysmon |
+| Pandemic Windows Implant | intermediate | 1, 13 | Microsoft-Windows-Sysmon |
+| Suspicious Hostname | intermediate | 4624 | Microsoft-Windows-Security-Auditing |
| Netsh RDP Port Opening | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Suspicious Outlook Child Process | intermediate | 4688 | Microsoft-Windows-Security-Auditing |
-| Chafer (APT 39) Activity | intermediate | 4697, 7045 | Microsoft-Windows-Security-Auditing, Service Control Manager |
-| Password Dumper Activity On LSASS | intermediate | 4656 | Microsoft-Windows-Security-Auditing |
-| Generic-reverse-shell-oneliner | intermediate | 3 | Microsoft-Windows-Kernel-Network |
+| Suspicious LDAP-Attributes Used | intermediate | 5136 | Microsoft-Windows-Security-Auditing |
+| HackTools Suspicious Process Names In Command Line | intermediate | 1, 5, 11 | Microsoft-Windows-Kernel-File, Microsoft-Windows-Sysmon |
+| Ngrok Process Execution | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Impacket Addcomputer | intermediate | 4741 | Microsoft-Windows-Security-Auditing |
+| Credential Dumping Tools Service Execution | intermediate | 7045 | Service Control Manager |
+| Creation or Modification of a GPO Scheduled Task | intermediate | 5145 | Microsoft-Windows-Security-Auditing |
+| Microsoft Defender Antivirus Set-MpPreference Base64 Encoded | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Spyware Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Python HTTP Server | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Antivirus Relevant File Paths Alerts | intermediate | 1116 | Microsoft-Windows-Windows Defender |
| STRRAT Scheduled Task | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Microsoft Exchange Server Creating Unusual Files | intermediate | 11 | Microsoft-Windows-Sysmon |
-| Suspicious CodePage Switch with CHCP | intermediate | 1 | Microsoft-Windows-Sysmon |
| Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data | intermediate | 4104 | Microsoft-Windows-PowerShell |
+| DCSync Attack | intermediate | 4662 | Microsoft-Windows-Security-Auditing |
+| IIS Module Installation Using AppCmd | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Sysprep On AppData Folder | intermediate | 1 | Microsoft-Windows-Sysmon |
| GPO Executable Delivery | intermediate | 5136 | Microsoft-Windows-Security-Auditing |
-| TUN/TAP Driver Installation | intermediate | 7045 | Service Control Manager |
+| Qakbot Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon |
| Microsoft Defender Antivirus Restoration Abuse | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Suspicious PowerShell Invocations - Specific | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Suspicious Scheduled Task Creation | intermediate | 4688 | Microsoft-Windows-Security-Auditing |
-| Process Memory Dump Using Comsvcs | intermediate | 1 | Kernel-Process, Microsoft-Windows-Sysmon |
-| Detection of default Mimikatz banner | intermediate | 4103 | Microsoft-Windows-PowerShell |
-| Microsoft Defender Antivirus Disable Services | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Suspicious certutil command | intermediate | 1 | Microsoft-Windows-Sysmon |
-| New DLL Added To AppCertDlls Registry Key | intermediate | 1, 13 | Microsoft-Windows-Sysmon |
-| Audio Capture via PowerShell | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| New Or Renamed User Account With '$' In Attribute 'SamAccountName' | intermediate | 4720 | Microsoft-Windows-Security-Auditing |
-| CMSTP Execution | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Generic-reverse-shell-oneliner | intermediate | 3 | Microsoft-Windows-Kernel-Network |
+| Suspicious Finger Usage | intermediate | 1 | Microsoft-Windows-Sysmon |
+| NTDS.dit File Interaction Through Command Line | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Netsh Allowed Python Program | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Possible Replay Attack | intermediate | 4649 | Microsoft-Windows-Security-Auditing |
+| Registry Key Used By Some Old Agent Tesla Samples | intermediate | 13 | Microsoft-Windows-Sysmon |
+| Suspicious Network Args In Command Line | intermediate | 1 | Kernel-Process, Microsoft-Windows-Sysmon |
+| Schtasks Suspicious Parent | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Suspicious Windows Installer Execution | intermediate | 1 | Microsoft-Windows-Sysmon |
| Hijack Legit RDP Session To Move Laterally | intermediate | 11 | Microsoft-Windows-Sysmon |
-| Ryuk Ransomware Persistence Registry Key | intermediate | 1, 13 | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Set-MpPreference Base64 Encoded | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Exchange Server Spawning Suspicious Processes | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Suspicious LDAP-Attributes Used | intermediate | 5136 | Microsoft-Windows-Security-Auditing |
| Suspicious Taskkill Command | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Antivirus Relevant File Paths Alerts | intermediate | 1116 | Microsoft-Windows-Windows Defender |
-| PowerCat Function Loading | intermediate | 4104 | Microsoft-Windows-PowerShell |
-| MSBuild Abuse | intermediate | 1, 3 | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Disable SecurityHealth | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| IIS Module Installation Using AppCmd | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Grabbing Sensitive Hives Via Reg Utility | intermediate | 1, 5 | Kernel-Process, Microsoft-Windows-Sysmon |
-| Suspect Svchost Memory Access | intermediate | 10 | Microsoft-Windows-Sysmon |
-| Suspicious Desktopimgdownldr Execution | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Suspicious Rundll32.exe Execution | intermediate | 1, 5 | Kernel-Process, Microsoft-Windows-Sysmon |
-| Formbook File Creation DB1 | intermediate | 11 | Microsoft-Windows-Sysmon |
-| QakBot Process Creation | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Secure Deletion With SDelete | intermediate | 4663 | Microsoft-Windows-Security-Auditing |
-| Disable Windows Defender Credential Guard | intermediate | 13 | Microsoft-Windows-Sysmon |
-| MavInject Process Injection | intermediate | 1 | Microsoft-Windows-Sysmon |
-| UAC Bypass Using Fodhelper | intermediate | 13 | Microsoft-Windows-Sysmon |
-| Microsoft Office Spawning Script | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Suspicious Hostname | intermediate | 4624 | Microsoft-Windows-Security-Auditing |
-| DC Shadow via Service Principal Name (SPN) creation | intermediate | 5136 | Microsoft-Windows-Security-Auditing |
+| Bloodhound and Sharphound Tools Usage | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Active Directory User Backdoors | intermediate | 5136 | Microsoft-Windows-Security-Auditing |
+| Suspicious DLL Loading By Ordinal | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Disable Services | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Njrat Registry Values | intermediate | 1, 13 | Microsoft-Windows-Sysmon |
+| DHCP Server Error Failed Loading the CallOut DLL | intermediate | 1033, 1034 | Microsoft-Windows-DHCP-Server |
+| CMSTP UAC Bypass via COM Object Access | intermediate | 1 | Microsoft-Windows-Sysmon |
+| KeePass Config XML In Command-Line | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Successful Overpass The Hash Attempt | intermediate | 4624 | Microsoft-Windows-Security-Auditing |
+| OneNote Embedded File | intermediate | 11, 15 | Microsoft-Windows-Sysmon |
+| Phosphorus Domain Controller Discovery | intermediate | 4104 | Microsoft-Windows-PowerShell |
+| Microsoft Defender Antivirus Disable Scheduled Tasks | intermediate | 1, 4104 | Kernel-Process, Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| MMC Spawning Windows Shell | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Copy Of Legitimate System32 Executable | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| SolarWinds Suspicious File Creation | intermediate | 11 | Microsoft-Windows-Sysmon |
-| Suspicious Process Requiring DLL Starts Without DLL | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Microsoft Malware Protection Engine Crash | intermediate | 1000 | Application Error |
-| Suspicious Cmd File Copy Command To Network Share | intermediate | 30 | Microsoft-Windows-Kernel-File |
-| Cmdkey Cached Credentials Recon | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Microsoft 365 (Office 365) AtpDetection | intermediate | 47 | |
-| Possible Replay Attack | intermediate | 4649 | Microsoft-Windows-Security-Auditing |
-| Credential Dumping Tools Service Execution | intermediate | 7045 | Service Control Manager |
+| Suspicious PowerShell Invocations - Specific | intermediate | 1 | Microsoft-Windows-Sysmon |
+| SquirrelWaffle Malspam Execution Loading DLL | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Ryuk Ransomware Persistence Registry Key | intermediate | 1, 13 | Microsoft-Windows-Sysmon |
+| DLL Load via LSASS Registry Key | intermediate | 12, 13 | Microsoft-Windows-Sysmon |
| Microsoft 365 (Office 365) Malware Uploaded On OneDrive | intermediate | 6 | |
-| StoneDrill Service Install | intermediate | 7045 | Service Control Manager |
-| DNS Exfiltration and Tunneling Tools Execution | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| HackTools Suspicious Process Names In Command Line | intermediate | 1, 5, 11 | Microsoft-Windows-Kernel-File, Microsoft-Windows-Sysmon |
-| UAC Bypass via Event Viewer | intermediate | 13 | Microsoft-Windows-Sysmon |
-| Suspicious DNS Child Process | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Malicious Named Pipe | intermediate | 17 | Microsoft-Windows-Sysmon |
-| Password Change On Directory Service Restore Mode (DSRM) Account | intermediate | 4794 | Microsoft-Windows-Security-Auditing |
+| Suspicious PowerShell Invocations - Generic | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Eventlog Cleared | intermediate | 1102 | Microsoft-Windows-Eventlog |
+| Venom Multi-hop Proxy agent detection | intermediate | 1 | Kernel-Process |
| Transfering Files With Credential Data Via Network Shares | intermediate | 5145 | Microsoft-Windows-Security-Auditing |
-| Suspicious Windows Installer Execution | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Werfault DLL Injection | intermediate | 7 | Microsoft-Windows-Sysmon |
+| Microsoft 365 (Office 365) Malware Uploaded On SharePoint | intermediate | 6 | |
+| Suspicious Scheduled Task Creation | intermediate | 4688 | Microsoft-Windows-Security-Auditing |
+| WMIC Uninstall Product | intermediate | 1 | Microsoft-Windows-Sysmon |
+| MSBuild Abuse | intermediate | 1, 3 | Microsoft-Windows-Sysmon |
+| Denied Access To Remote Desktop | intermediate | 4825 | Microsoft-Windows-Security-Auditing |
+| Suspicious Outlook Child Process | intermediate | 4688 | Microsoft-Windows-Security-Auditing |
| Gpscript Suspicious Parent | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Possible RottenPotato Attack | intermediate | 4624 | Microsoft-Windows-Security-Auditing |
-| Suspicious Driver Loaded | intermediate | 13 | Microsoft-Windows-Sysmon |
-| Exfiltration Domain In Command Line | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Impacket Secretsdump.py Tool | intermediate | 5145 | Microsoft-Windows-Security-Auditing |
-| Suspicious PowerShell Invocations - Generic | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Successful Overpass The Hash Attempt | intermediate | 4624 | Microsoft-Windows-Security-Auditing |
-| Njrat Registry Values | intermediate | 1, 13 | Microsoft-Windows-Sysmon |
-| Wmic Service Call | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Suspicious Finger Usage | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Suspicious CommandLine Lsassy Pattern | intermediate | 5 | Kernel-Process |
-| Network Connection Via Certutil | intermediate | 3 | Microsoft-Windows-Sysmon |
-| Csrss Child Found | intermediate | 1 | Microsoft-Windows-Sysmon |
-| DLL Load via LSASS Registry Key | intermediate | 12, 13 | Microsoft-Windows-Sysmon |
-| Disable .NET ETW Through COMPlus_ETWEnabled | intermediate | 1, 13 | Microsoft-Windows-Sysmon |
+| Formbook File Creation DB1 | intermediate | 11 | Microsoft-Windows-Sysmon |
+| Searchprotocolhost Child Found | intermediate | 1 | Microsoft-Windows-Sysmon |
| XSL Script Processing And SquiblyTwo Attack | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Microsoft 365 Email Forwarding To Consumer Email Address | intermediate | 1 | |
+| Exfiltration Domain In Command Line | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Secure Deletion With SDelete | intermediate | 4663 | Microsoft-Windows-Security-Auditing |
+| SOCKS Tunneling Tool | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Microsoft 365 Email Forwarding To Email Address With Rare TLD | intermediate | 1 | |
| Suspicious Kerberos Ticket | intermediate | 4768 | Microsoft-Windows-Security-Auditing |
-| Qakbot Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon |
-| DHCP Server Error Failed Loading the CallOut DLL | intermediate | 1034 | Microsoft-Windows-DHCP-Server |
+| New DLL Added To AppCertDlls Registry Key | intermediate | 1, 13 | Microsoft-Windows-Sysmon |
+| Remote Enumeration Of Lateral Movement Groups | intermediate | 4799 | Microsoft-Windows-Security-Auditing |
+| Microsoft Office Spawning Script | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Password Dumper Activity On LSASS | intermediate | 4656 | Microsoft-Windows-Security-Auditing |
| Powershell Winlogon Helper DLL | intermediate | 13, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Denied Access To Remote Desktop | intermediate | 4825 | Microsoft-Windows-Security-Auditing |
-| Commonly Used Commands To Stop Services And Remove Backups | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Microsoft 365 Email Forwarding To Email Address With Rare TLD | intermediate | 1 | |
-| SquirrelWaffle Malspam Execution Loading DLL | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Mshta Suspicious Child Process | intermediate | 1, 5 | Kernel-Process |
-| MOFComp Execution | intermediate | 1 | Microsoft-Windows-Sysmon |
| Suspicious Mshta Execution From Wmi | intermediate | 1 | Microsoft-Windows-Sysmon |
+| DC Shadow via Service Principal Name (SPN) creation | intermediate | 5136 | Microsoft-Windows-Security-Auditing |
+| Suspicious certutil command | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Disable .NET ETW Through COMPlus_ETWEnabled | intermediate | 1, 13 | Microsoft-Windows-Sysmon |
+| Suspicious CommandLine Lsassy Pattern | intermediate | 5 | Kernel-Process |
+| Suspicious Rundll32.exe Execution | intermediate | 1, 5 | Kernel-Process, Microsoft-Windows-Sysmon |
+| COM Hijack Via Sdclt | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Suspicious DNS Child Process | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Data Compressed With Rar With Password | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Suspicious Driver Loaded | intermediate | 13 | Microsoft-Windows-Sysmon |
+| Windows Suspicious Scheduled Task Creation | intermediate | 4698 | Microsoft-Windows-Security-Auditing |
+| QakBot Process Creation | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Chafer (APT 39) Activity | intermediate | 4697, 7045 | Microsoft-Windows-Security-Auditing, Service Control Manager |
+| Suspicious Desktopimgdownldr Execution | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Disable Windows Defender Credential Guard | intermediate | 13 | Microsoft-Windows-Sysmon |
| PowerShell Execution Via Rundll32 | intermediate | 1 | Microsoft-Windows-Sysmon |
-| High Privileges Network Share Removal | intermediate | 1 | Kernel-Process, Microsoft-Windows-Sysmon |
-| Windows Suspicious Service Creation | intermediate | 4697 | Microsoft-Windows-Security-Auditing |
-| RDP Port Change Using Powershell | intermediate | 13, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Rare Lsass Child Found | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Formbook Hijacked Process Command | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Suspicious DLL side loading from ProgramData | intermediate | 7 | Microsoft-Windows-Sysmon |
-| Ngrok Process Execution | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Usage Of Procdump With Common Arguments | intermediate | 13 | Microsoft-Windows-Sysmon |
-| Cobalt Strike Default Beacons Names | intermediate | 1, 15 | Microsoft-Windows-Sysmon |
-| Suspicious Network Args In Command Line | intermediate | 1 | Kernel-Process, Microsoft-Windows-Sysmon |
-| WMIC Uninstall Product | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Spyware Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon |
-| WCE wceaux.dll Creation | intermediate | 30 | Microsoft-Windows-Kernel-File |
-| Registry Key Used By Some Old Agent Tesla Samples | intermediate | 13 | Microsoft-Windows-Sysmon |
-| OneNote Embedded File | intermediate | 11, 15 | Microsoft-Windows-Sysmon |
-| Eventlog Cleared | intermediate | 1102 | Microsoft-Windows-Eventlog |
-| Remote Enumeration Of Lateral Movement Groups | intermediate | 4799 | Microsoft-Windows-Security-Auditing |
-| CMSTP UAC Bypass via COM Object Access | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Cred Dump Tools Dropped Files | intermediate | 11 | Microsoft-Windows-Sysmon |
-| Suspicious Mshta Execution | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Venom Multi-hop Proxy agent detection | intermediate | 1 | Kernel-Process |
-| Sliver DNS Beaconing | intermediate | 22 | Microsoft-Windows-Sysmon |
-| LSASS Memory Dump File Creation | intermediate | 11 | Microsoft-Windows-Sysmon |
-| Suspicious Scripting In A WMI Consumer | intermediate | 20 | Microsoft-Windows-Sysmon |
-| NetSh Used To Disable Windows Firewall | intermediate | 1 | Microsoft-Windows-Sysmon |
-| WMImplant Hack Tool | intermediate | 4104 | Microsoft-Windows-PowerShell |
+| NetNTLM Downgrade Attack | intermediate | 13, 4657 | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
+| Backup Catalog Deleted | intermediate | 524 | Microsoft-Windows-Backup |
+| Mshta Suspicious Child Process | intermediate | 1, 5 | Kernel-Process |
+| MMC20 Lateral Movement | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Commonly Used Commands To Stop Services And Remove Backups | intermediate | 1 | Microsoft-Windows-Sysmon |
| Lsass Access Through WinRM | intermediate | 10 | Microsoft-Windows-Sysmon |
+| Formbook Hijacked Process Command | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Malicious Named Pipe | intermediate | 17 | Microsoft-Windows-Sysmon |
| Remote Task Creation Via ATSVC Named Pipe | intermediate | 5145 | Microsoft-Windows-Security-Auditing |
| Active Directory Delegate To KRBTGT Service | intermediate | 4738 | Microsoft-Windows-Security-Auditing |
-| Suspicious DLL Loading By Ordinal | intermediate | 1 | Microsoft-Windows-Sysmon |
-| MMC Spawning Windows Shell | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Python HTTP Server | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Active Directory User Backdoors | intermediate | 5136 | Microsoft-Windows-Security-Auditing |
-| MalwareBytes Uninstallation | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Reconnaissance Commands Activities | intermediate | 1 | Kernel-Process |
-| Exchange Mailbox Export | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| SOCKS Tunneling Tool | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Suspicious Windows Script Execution | intermediate | 5 | Kernel-Process |
-| Bloodhound and Sharphound Tools Usage | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Cobalt Strike Default Beacons Names | intermediate | 1, 15 | Microsoft-Windows-Sysmon |
| CertOC Loading Dll | intermediate | 1 | Kernel-Process |
-| Werfault DLL Injection | intermediate | 7 | Microsoft-Windows-Sysmon |
-| Pandemic Windows Implant | intermediate | 1, 13 | Microsoft-Windows-Sysmon |
-| OceanLotus Registry Activity | intermediate | 13 | Microsoft-Windows-Sysmon |
-| Exploiting SetupComplete.cmd CVE-2019-1378 | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Sysprep On AppData Folder | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Network Sniffing Windows | intermediate | 1, 5 | Microsoft-Windows-Sysmon |
-| Inhibit System Recovery Deleting Backups | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Schtasks Suspicious Parent | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Creation or Modification of a GPO Scheduled Task | intermediate | 5145 | Microsoft-Windows-Security-Auditing |
-| Trickbot Malware Activity | intermediate | 1 | Microsoft-Windows-Sysmon |
-| DHCP Server Loaded the CallOut DLL | intermediate | 1033 | Microsoft-Windows-DHCP-Server |
+| Explorer Process Executing HTA File | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Rare Lsass Child Found | intermediate | 1 | Microsoft-Windows-Sysmon |
| Wmic Process Call Creation | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Suspicious SAM Dump | intermediate | 16 | Microsoft-Windows-Kernel-General |
-| KeePass Config XML In Command-Line | intermediate | 1 | Microsoft-Windows-Sysmon |
-| SolarWinds Wrong Child Process | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Windows Suspicious Scheduled Task Creation | intermediate | 4698 | Microsoft-Windows-Security-Auditing |
-| Clear EventLogs Through CommandLine | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Microsoft 365 (Office 365) Malware Uploaded On SharePoint | intermediate | 6 | |
-| Netsh Allowed Python Program | intermediate | 1 | Microsoft-Windows-Sysmon |
| Powershell UploadString Function | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Microsoft 365 Email Forwarding To Consumer Email Address | intermediate | 1 | |
-| COM Hijack Via Sdclt | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Searchprotocolhost Child Found | intermediate | 1 | Microsoft-Windows-Sysmon |
+| StoneDrill Service Install | intermediate | 7045 | Service Control Manager |
+| SolarWinds Wrong Child Process | intermediate | 1 | Microsoft-Windows-Sysmon |
+| TUN/TAP Driver Installation | intermediate | 7045 | Service Control Manager |
+| Microsoft 365 (Office 365) AtpDetection | intermediate | 47 | |
+| Password Change On Directory Service Restore Mode (DSRM) Account | intermediate | 4794 | Microsoft-Windows-Security-Auditing |
+| New Or Renamed User Account With '$' In Attribute 'SamAccountName' | intermediate | 4720 | Microsoft-Windows-Security-Auditing |
+| BazarLoader Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon |
+| OceanLotus Registry Activity | intermediate | 13 | Microsoft-Windows-Sysmon |
+| MOFComp Execution | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Microsoft Exchange Server Creating Unusual Files | intermediate | 11 | Microsoft-Windows-Sysmon |
| DPAPI Domain Backup Key Extraction | intermediate | 4662 | Microsoft-Windows-Security-Auditing |
-| Impacket Addcomputer | intermediate | 4741 | Microsoft-Windows-Security-Auditing |
-| ETW Tampering | intermediate | 1 | Microsoft-Windows-Sysmon |
+| LSASS Memory Dump File Creation | intermediate | 11 | Microsoft-Windows-Sysmon |
+| Trickbot Malware Activity | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Audio Capture via PowerShell | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
| DHCP Callout DLL Installation | intermediate | 13 | Microsoft-Windows-Sysmon |
-| BazarLoader Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon |
-| Malicious Service Installations | elementary | 7045 | Service Control Manager |
+| Suspicious Cmd File Copy Command To Network Share | intermediate | 30 | Microsoft-Windows-Kernel-File |
+| Exchange Server Spawning Suspicious Processes | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Csrss Child Found | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Inhibit System Recovery Deleting Backups | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| MalwareBytes Uninstallation | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Suspicious Scripting In A WMI Consumer | intermediate | 20 | Microsoft-Windows-Sysmon |
+| Suspicious Windows Script Execution | intermediate | 5 | Kernel-Process |
+| Network Connection Via Certutil | intermediate | 3 | Microsoft-Windows-Sysmon |
+| Cred Dump Tools Dropped Files | intermediate | 11 | Microsoft-Windows-Sysmon |
+| Suspicious CodePage Switch with CHCP | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Sliver DNS Beaconing | intermediate | 22 | Microsoft-Windows-Sysmon |
+| Grabbing Sensitive Hives Via Reg Utility | intermediate | 1, 5 | Kernel-Process, Microsoft-Windows-Sysmon |
+| UAC Bypass Using Fodhelper | intermediate | 13 | Microsoft-Windows-Sysmon |
+| Clear EventLogs Through CommandLine | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Microsoft Malware Protection Engine Crash | intermediate | 1000 | Application Error |
+| Capture a network trace with netsh.exe | intermediate | 1 | Microsoft-Windows-Sysmon |
+| ETW Tampering | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Suspicious Process Requiring DLL Starts Without DLL | intermediate | 1 | Microsoft-Windows-Sysmon |
+| WCE wceaux.dll Creation | intermediate | 30 | Microsoft-Windows-Kernel-File |
+| NetSh Used To Disable Windows Firewall | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Suspect Svchost Memory Access | intermediate | 10 | Microsoft-Windows-Sysmon |
+| UAC Bypass via Event Viewer | intermediate | 13 | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Disable SecurityHealth | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Network Sniffing Windows | intermediate | 1, 5 | Microsoft-Windows-Sysmon |
+| High Privileges Network Share Removal | intermediate | 1 | Kernel-Process, Microsoft-Windows-Sysmon |
+| Possible RottenPotato Attack | intermediate | 4624 | Microsoft-Windows-Security-Auditing |
+| WMImplant Hack Tool | intermediate | 4104 | Microsoft-Windows-PowerShell |
+| DNS Exfiltration and Tunneling Tools Execution | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| Windows Suspicious Service Creation | intermediate | 4697 | Microsoft-Windows-Security-Auditing |
+| Netsh Port Forwarding | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Reconnaissance Commands Activities | intermediate | 1 | Kernel-Process |
+| Cmdkey Cached Credentials Recon | intermediate | 1 | Microsoft-Windows-Sysmon |
+| Detection of default Mimikatz banner | intermediate | 4103 | Microsoft-Windows-PowerShell |
+| PowerCat Function Loading | intermediate | 4104 | Microsoft-Windows-PowerShell |
+| Smbexec.py Service Installation | elementary | 7045 | Service Control Manager |
+| Impacket Wmiexec Module | elementary | 1, 4688 | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
+| Malspam Execution Registering Malicious DLL | elementary | 1, 11 | Microsoft-Windows-Sysmon |
+| Phorpiex DriveMgr Command | elementary | 1 | Microsoft-Windows-Sysmon |
+| Windows Update LolBins | elementary | 1 | Microsoft-Windows-Sysmon |
+| RTLO Character | elementary | 15 | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus Signatures Removed With MpCmdRun | elementary | 1 | Microsoft-Windows-Sysmon |
+| Schtasks Persistence With High Privileges | elementary | 1 | Microsoft-Windows-Sysmon |
+| Phorpiex Process Masquerading | elementary | 1 | Microsoft-Windows-Sysmon |
+| TrustedInstaller Impersonation | elementary | 4104 | Microsoft-Windows-PowerShell |
+| Suspicious Hangul Word Processor Child Process | elementary | 1 | Microsoft-Windows-Sysmon |
+| Sticky Key Like Backdoor Usage | elementary | 13 | Microsoft-Windows-Sysmon |
+| Leviathan Registry Key Activity | elementary | 1, 13 | Microsoft-Windows-Sysmon |
| Exploited CVE-2020-10189 Zoho ManageEngine | elementary | 1 | Microsoft-Windows-Sysmon |
-| WMI Install Of Binary | elementary | 1 | Microsoft-Windows-Sysmon |
-| ICacls Granting Access To All | elementary | 1 | Microsoft-Windows-Sysmon |
-| RedMimicry Winnti Playbook Registry Manipulation | elementary | 1, 13 | Microsoft-Windows-Sysmon |
-| Debugging Software Deactivation | elementary | 1 | Microsoft-Windows-Sysmon |
| Audit CVE Event | elementary | 1 | Microsoft-Windows-Audit-CVE |
-| WMI Persistence Command Line Event Consumer | elementary | 7 | Microsoft-Windows-Sysmon |
-| Mustang Panda Dropper | elementary | 1 | Microsoft-Windows-Sysmon |
-| Mimikatz Basic Commands | elementary | 4103 | Microsoft-Windows-PowerShell |
-| Smbexec.py Service Installation | elementary | 7045 | Service Control Manager |
-| Active Directory Data Export Using Csvde | elementary | 1 | Kernel-Process |
-| PasswordDump SecurityXploded Tool | elementary | 1 | Microsoft-Windows-Sysmon |
-| Invoke-TheHash Commandlets | elementary | 4104 | Microsoft-Windows-PowerShell |
-| Netsh RDP Port Forwarding | elementary | 1 | Microsoft-Windows-Sysmon |
+| Ryuk Ransomware Command Line | elementary | 1 | Microsoft-Windows-Sysmon |
+| Msdt (Follina) File Browse Process Execution | elementary | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| IcedID Execution Using Excel | elementary | 1 | Microsoft-Windows-Sysmon |
+| Antivirus Web Shell Detection | elementary | 1116 | Microsoft-Windows-Windows Defender |
| Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046) | elementary | 15 | |
-| Credential Dumping By LaZagne | elementary | 10 | Microsoft-Windows-Sysmon |
-| Cobalt Strike Default Service Creation Usage | elementary | 4697, 7045 | Microsoft-Windows-Security-Auditing, Service Control Manager |
-| SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory | elementary | 4704 | Microsoft-Windows-Security-Auditing |
-| SysKey Registry Keys Access | elementary | 4663 | Microsoft-Windows-Security-Auditing |
-| Raccine Uninstall | elementary | 1 | Microsoft-Windows-Sysmon |
-| Equation Group DLL_U Load | elementary | 1 | Microsoft-Windows-Sysmon |
-| Microsoft Defender Antivirus Signatures Removed With MpCmdRun | elementary | 1 | Microsoft-Windows-Sysmon |
-| Suncrypt Parameters | elementary | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Elise Backdoor | elementary | 1 | Microsoft-Windows-Sysmon |
-| Suspicious Headless Web Browser Execution To Download File | elementary | 5 | Kernel-Process |
-| Active Directory Shadow Credentials | elementary | 5136 | Microsoft-Windows-Security-Auditing |
-| Dumpert LSASS Process Dumper | elementary | 7, 11 | Microsoft-Windows-Sysmon |
-| Microsoft 365 Sign-in With No User Agent | elementary | 15 | |
+| DNS Tunnel Technique From MuddyWater | elementary | 1 | Microsoft-Windows-Sysmon |
+| RedMimicry Winnti Playbook Registry Manipulation | elementary | 1, 13 | Microsoft-Windows-Sysmon |
+| Domain Trust Discovery Through LDAP | elementary | 1, 4688 | Microsoft-REDACTED-Security-Auditing, Microsoft-Windows-Sysmon |
+| Empire Monkey Activity | elementary | 1 | Microsoft-Windows-Sysmon |
| Phosphorus (APT35) Exchange Discovery | elementary | 4104 | Microsoft-Windows-PowerShell |
-| Copying Sensitive Files With Credential Data | elementary | 1 | Microsoft-Windows-Sysmon |
-| Process Memory Dump Using Createdump | elementary | 1 | Kernel-Process |
-| Kerberos Pre-Auth Disabled in UAC | elementary | 4738 | Microsoft-Windows-Security-Auditing |
-| Process Memory Dump Using Rdrleakdiag | elementary | 5 | Kernel-Process |
+| Microsoft Entra ID (Azure AD) Domain Trust Modification | elementary | 8 | |
+| Entra ID Password Compromised By Known Credential Testing Tool | elementary | 15 | |
+| Equation Group DLL_U Load | elementary | 1 | Microsoft-Windows-Sysmon |
+| Turla Named Pipes | elementary | 17 | Microsoft-Windows-Sysmon |
| PowerShell Downgrade Attack | elementary | 1 | Microsoft-Windows-Sysmon |
-| Windows Credential Editor Registry Key | elementary | 13 | Microsoft-Windows-Sysmon |
-| FlowCloud Malware | elementary | 13 | Microsoft-Windows-Sysmon |
-| Domain Trust Discovery Through LDAP | elementary | 1, 4688 | Microsoft-REDACTED-Security-Auditing, Microsoft-Windows-Sysmon |
-| Wdigest Enable UseLogonCredential | elementary | 1, 13 | Microsoft-Windows-Sysmon |
-| Active Directory Database Dump Via Ntdsutil | elementary | 325 | ESENT |
-| Microsoft Defender Antivirus History Directory Deleted | elementary | 1 | Microsoft-Windows-Sysmon |
+| Enabling Restricted Admin Mode | elementary | 1 | Kernel-Process |
+| Exploit For CVE-2015-1641 | elementary | 1 | Microsoft-Windows-Sysmon |
+| RedMimicry Winnti Playbook Dropped File | elementary | 11 | Microsoft-Windows-Sysmon |
| Antivirus Password Dumper Detection | elementary | 1116 | Microsoft-Windows-Windows Defender |
+| ICacls Granting Access To All | elementary | 1 | Microsoft-Windows-Sysmon |
+| Elise Backdoor | elementary | 1 | Microsoft-Windows-Sysmon |
+| Mimikatz Basic Commands | elementary | 4103 | Microsoft-Windows-PowerShell |
+| AdFind Usage | elementary | 1 | Microsoft-Windows-Sysmon |
| UAC Bypass Via Sdclt | elementary | 1, 13 | Microsoft-Windows-Sysmon |
-| RedMimicry Winnti Playbook Dropped File | elementary | 11 | Microsoft-Windows-Sysmon |
+| Office Application Startup Office Test | elementary | 1, 13 | Microsoft-Windows-Sysmon |
| Suspicious Netsh DLL Persistence | elementary | 1 | Microsoft-Windows-Sysmon |
-| Phorpiex Process Masquerading | elementary | 1 | Microsoft-Windows-Sysmon |
-| TrustedInstaller Impersonation | elementary | 4104 | Microsoft-Windows-PowerShell |
+| Lazarus Loaders | elementary | 1 | Microsoft-Windows-Sysmon |
+| Active Directory Database Dump Via Ntdsutil | elementary | 325 | ESENT |
+| Disable Workstation Lock | elementary | 13 | Microsoft-Windows-Sysmon |
| Mshta JavaScript Execution | elementary | 1 | Microsoft-Windows-Sysmon |
-| Meterpreter or Cobalt Strike Getsystem Service Installation | elementary | 1, 13, 17, 4697, 7045 | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon, Service Control Manager |
-| Impacket Wmiexec Module | elementary | 1, 4688 | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon |
-| Copying Browser Files With Credentials | elementary | 1 | Microsoft-Windows-Sysmon |
+| Windows Credential Editor Registry Key | elementary | 13 | Microsoft-Windows-Sysmon |
+| Copying Sensitive Files With Credential Data | elementary | 1 | Microsoft-Windows-Sysmon |
+| Ursnif Registry Key | elementary | 13 | Microsoft-Windows-Sysmon |
+| Microsoft Defender Antivirus History Directory Deleted | elementary | 1 | Microsoft-Windows-Sysmon |
+| Suncrypt Parameters | elementary | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
+| FlowCloud Malware | elementary | 13 | Microsoft-Windows-Sysmon |
+| CVE-2019-0708 Scan | elementary | 4625 | Microsoft-Windows-Security-Auditing |
+| Dumpert LSASS Process Dumper | elementary | 7, 11 | Microsoft-Windows-Sysmon |
| Microsoft 365 Suspicious Inbox Rule | elementary | 1 | |
-| AdFind Usage | elementary | 1 | Microsoft-Windows-Sysmon |
-| Entra ID Sign-In Via Known AiTM Phishing Kit | elementary | 15 | |
-| Suspicious Hangul Word Processor Child Process | elementary | 1 | Microsoft-Windows-Sysmon |
-| Turla Named Pipes | elementary | 17 | Microsoft-Windows-Sysmon |
-| Schtasks Persistence With High Privileges | elementary | 1 | Microsoft-Windows-Sysmon |
-| Entra ID Password Compromised By Known Credential Testing Tool | elementary | 15 | |
-| Microsoft Entra ID (Azure AD) Domain Trust Modification | elementary | 8 | |
-| Sticky Key Like Backdoor Usage | elementary | 13 | Microsoft-Windows-Sysmon |
-| Disable Task Manager Through Registry Key | elementary | 1, 13 | Microsoft-Windows-Sysmon |
-| DNS Tunnel Technique From MuddyWater | elementary | 1 | Microsoft-Windows-Sysmon |
-| Exploit For CVE-2015-1641 | elementary | 1 | Microsoft-Windows-Sysmon |
-| Malspam Execution Registering Malicious DLL | elementary | 1, 11 | Microsoft-Windows-Sysmon |
-| Empire Monkey Activity | elementary | 1 | Microsoft-Windows-Sysmon |
-| Blue Mockingbird Malware | elementary | 1 | Microsoft-Windows-Sysmon |
-| Lazarus Loaders | elementary | 1 | Microsoft-Windows-Sysmon |
-| IcedID Execution Using Excel | elementary | 1 | Microsoft-Windows-Sysmon |
+| Debugging Software Deactivation | elementary | 1 | Microsoft-Windows-Sysmon |
+| WMI Persistence Command Line Event Consumer | elementary | 7 | Microsoft-Windows-Sysmon |
+| WMI Install Of Binary | elementary | 1 | Microsoft-Windows-Sysmon |
+| Invoke-TheHash Commandlets | elementary | 4104 | Microsoft-Windows-PowerShell |
+| Process Memory Dump Using Createdump | elementary | 1 | Kernel-Process |
+| Microsoft Office Startup Add-In | elementary | 11 | Microsoft-Windows-Sysmon |
+| Raccine Uninstall | elementary | 1 | Microsoft-Windows-Sysmon |
+| Credential Dumping By LaZagne | elementary | 10 | Microsoft-Windows-Sysmon |
| Microsoft 365 Email Forwarding To Privacy Email Address | elementary | 1 | |
+| Winword Document Droppers | elementary | 1 | Microsoft-Windows-Sysmon |
+| Wdigest Enable UseLogonCredential | elementary | 1, 13 | Microsoft-Windows-Sysmon |
+| Blue Mockingbird Malware | elementary | 1 | Microsoft-Windows-Sysmon |
+| Mustang Panda Dropper | elementary | 1 | Microsoft-Windows-Sysmon |
+| Netsh RDP Port Forwarding | elementary | 1 | Microsoft-Windows-Sysmon |
+| Process Memory Dump Using Rdrleakdiag | elementary | 5 | Kernel-Process |
+| PasswordDump SecurityXploded Tool | elementary | 1 | Microsoft-Windows-Sysmon |
+| SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory | elementary | 4704 | Microsoft-Windows-Security-Auditing |
| Suspicious Windows ANONYMOUS LOGON Local Account Created | elementary | 4720 | Microsoft-Windows-Security-Auditing |
-| Leviathan Registry Key Activity | elementary | 1, 13 | Microsoft-Windows-Sysmon |
-| Enabling Restricted Admin Mode | elementary | 1 | Kernel-Process |
-| Antivirus Web Shell Detection | elementary | 1116 | Microsoft-Windows-Windows Defender |
-| Ursnif Registry Key | elementary | 13 | Microsoft-Windows-Sysmon |
-| Windows Update LolBins | elementary | 1 | Microsoft-Windows-Sysmon |
-| Ryuk Ransomware Command Line | elementary | 1 | Microsoft-Windows-Sysmon |
-| CVE-2019-0708 Scan | elementary | 4625 | Microsoft-Windows-Security-Auditing |
| APT29 Fake Google Update Service Install | elementary | 7045 | Service Control Manager |
+| Active Directory Shadow Credentials | elementary | 5136 | Microsoft-Windows-Security-Auditing |
| Security Support Provider (SSP) Added to LSA Configuration | elementary | 13 | Microsoft-Windows-Sysmon |
-| Suspicious VBS Execution Parameter | elementary | 1 | Microsoft-Windows-Sysmon |
| Antivirus Exploitation Framework Detection | elementary | 1116 | Microsoft-Windows-Windows Defender |
-| Msdt (Follina) File Browse Process Execution | elementary | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon |
-| Phorpiex DriveMgr Command | elementary | 1 | Microsoft-Windows-Sysmon |
-| Disable Workstation Lock | elementary | 13 | Microsoft-Windows-Sysmon |
-| Office Application Startup Office Test | elementary | 1, 13 | Microsoft-Windows-Sysmon |
-| Winword Document Droppers | elementary | 1 | Microsoft-Windows-Sysmon |
-| RTLO Character | elementary | 15 | Microsoft-Windows-Sysmon |
-| Microsoft Office Startup Add-In | elementary | 11 | Microsoft-Windows-Sysmon |
+| Meterpreter or Cobalt Strike Getsystem Service Installation | elementary | 1, 13, 17, 4697, 7045 | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon, Service Control Manager |
+| SysKey Registry Keys Access | elementary | 4663 | Microsoft-Windows-Security-Auditing |
+| Microsoft 365 Sign-in With No User Agent | elementary | 15 | |
+| Suspicious Headless Web Browser Execution To Download File | elementary | 5 | Kernel-Process |
+| Kerberos Pre-Auth Disabled in UAC | elementary | 4738 | Microsoft-Windows-Security-Auditing |
+| Active Directory Data Export Using Csvde | elementary | 1 | Kernel-Process |
+| Malicious Service Installations | elementary | 7045 | Service Control Manager |
+| Copying Browser Files With Credentials | elementary | 1 | Microsoft-Windows-Sysmon |
+| Suspicious VBS Execution Parameter | elementary | 1 | Microsoft-Windows-Sysmon |
+| Cobalt Strike Default Service Creation Usage | elementary | 4697, 7045 | Microsoft-Windows-Security-Auditing, Service Control Manager |
+| Disable Task Manager Through Registry Key | elementary | 1, 13 | Microsoft-Windows-Sysmon |
## EventIDs occurences in rules
-| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 470) |
+| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 467) |
| ------- | ------------------------- | ------------------------------------------------------ |
-| 1 | 226 | 48.09 % |
-| 13 | 47 | 10.0 % |
-| 4104 | 43 | 9.15 % |
-| 5 | 21 | 4.47 % |
-| 11 | 20 | 4.26 % |
-| 7 | 15 | 3.19 % |
-| 7045 | 11 | 2.34 % |
-| 5145 | 10 | 2.13 % |
-| 15 | 10 | 2.13 % |
-| 4688 | 7 | 1.49 % |
+| 1 | 225 | 48.18 % |
+| 13 | 47 | 10.06 % |
+| 4104 | 43 | 9.21 % |
+| 5 | 21 | 4.5 % |
+| 11 | 20 | 4.28 % |
+| 7 | 15 | 3.21 % |
+| 7045 | 11 | 2.36 % |
+| 5145 | 10 | 2.14 % |
+| 15 | 9 | 1.93 % |
+| 4688 | 7 | 1.5 % |
| 17 | 6 | 1.28 % |
-| 3 | 6 | 1.28 % |
| 5136 | 6 | 1.28 % |
-| 10 | 6 | 1.28 % |
+| 3 | 6 | 1.28 % |
| 98 | 6 | 1.28 % |
-| 4662 | 5 | 1.06 % |
-| 1116 | 5 | 1.06 % |
-| 4624 | 5 | 1.06 % |
-| 4697 | 4 | 0.85 % |
-| 4656 | 4 | 0.85 % |
-| 4663 | 4 | 0.85 % |
-| 64 | 4 | 0.85 % |
-| 22 | 4 | 0.85 % |
-| 4720 | 3 | 0.64 % |
-| 4103 | 3 | 0.64 % |
+| 10 | 6 | 1.28 % |
+| 4624 | 5 | 1.07 % |
+| 1116 | 5 | 1.07 % |
+| 4662 | 5 | 1.07 % |
+| 64 | 4 | 0.86 % |
+| 4663 | 4 | 0.86 % |
+| 22 | 4 | 0.86 % |
+| 4656 | 4 | 0.86 % |
+| 4697 | 4 | 0.86 % |
| 4625 | 3 | 0.64 % |
+| 4103 | 3 | 0.64 % |
+| 4720 | 3 | 0.64 % |
| 25 | 2 | 0.43 % |
+| 5007 | 2 | 0.43 % |
+| 4728 | 2 | 0.43 % |
| 8 | 2 | 0.43 % |
+| 12 | 2 | 0.43 % |
+| 6 | 2 | 0.43 % |
| 4738 | 2 | 0.43 % |
-| 4728 | 2 | 0.43 % |
| 30 | 2 | 0.43 % |
-| 6 | 2 | 0.43 % |
-| 5007 | 2 | 0.43 % |
-| 12 | 2 | 0.43 % |
+| 16 | 1 | 0.21 % |
+| 6416 | 1 | 0.21 % |
+| 4741 | 1 | 0.21 % |
+| 4673 | 1 | 0.21 % |
+| 5140 | 1 | 0.21 % |
+| 4729 | 1 | 0.21 % |
+| 4649 | 1 | 0.21 % |
+| 1033 | 1 | 0.21 % |
+| 1034 | 1 | 0.21 % |
+| 40 | 1 | 0.21 % |
+| 4743 | 1 | 0.21 % |
| 1013 | 1 | 0.21 % |
-| 150 | 1 | 0.21 % |
-| 83820799 | 1 | 0.21 % |
-| 524 | 1 | 0.21 % |
-| 79016668 | 1 | 0.21 % |
+| 5156 | 1 | 0.21 % |
+| 1102 | 1 | 0.21 % |
+| 325 | 1 | 0.21 % |
+| 4825 | 1 | 0.21 % |
+| 4768 | 1 | 0.21 % |
+| 4799 | 1 | 0.21 % |
+| 4698 | 1 | 0.21 % |
+| 4726 | 1 | 0.21 % |
| 4657 | 1 | 0.21 % |
-| 27 | 1 | 0.21 % |
+| 524 | 1 | 0.21 % |
+| 83820799 | 1 | 0.21 % |
+| 21 | 1 | 0.21 % |
+| 4732 | 1 | 0.21 % |
+| 4611 | 1 | 0.21 % |
| 5154 | 1 | 0.21 % |
| 4706 | 1 | 0.21 % |
| 4707 | 1 | 0.21 % |
-| 4704 | 1 | 0.21 % |
-| 21 | 1 | 0.21 % |
-| 4674 | 1 | 0.21 % |
-| 325 | 1 | 0.21 % |
-| 4661 | 1 | 0.21 % |
-| 1000 | 1 | 0.21 % |
| 47 | 1 | 0.21 % |
-| 4649 | 1 | 0.21 % |
| 4794 | 1 | 0.21 % |
-| 1127 | 1 | 0.21 % |
-| 40 | 1 | 0.21 % |
-| 4726 | 1 | 0.21 % |
-| 4768 | 1 | 0.21 % |
-| 5156 | 1 | 0.21 % |
-| 1034 | 1 | 0.21 % |
-| 4825 | 1 | 0.21 % |
-| 4743 | 1 | 0.21 % |
-| 23 | 1 | 0.21 % |
-| 4729 | 1 | 0.21 % |
-| 4732 | 1 | 0.21 % |
-| 1102 | 1 | 0.21 % |
-| 4799 | 1 | 0.21 % |
-| 5140 | 1 | 0.21 % |
+| 4661 | 1 | 0.21 % |
| 20 | 1 | 0.21 % |
-| 1033 | 1 | 0.21 % |
-| 6416 | 1 | 0.21 % |
-| 16 | 1 | 0.21 % |
-| 4673 | 1 | 0.21 % |
-| 4611 | 1 | 0.21 % |
-| 4698 | 1 | 0.21 % |
+| 79016668 | 1 | 0.21 % |
+| 150 | 1 | 0.21 % |
| 8001 | 1 | 0.21 % |
-| 4741 | 1 | 0.21 % |
+| 1127 | 1 | 0.21 % |
+| 4704 | 1 | 0.21 % |
+| 4674 | 1 | 0.21 % |
+| 1000 | 1 | 0.21 % |
+| 27 | 1 | 0.21 % |
+| 23 | 1 | 0.21 % |
## EventProviders occurences in rules
-| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 470) |
+| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 467) |
| ------- | ------------------------- | ------------------------------------------------------ |
-| Microsoft-Windows-Sysmon | 292 | 62.13 % |
-| Microsoft-Windows-Security-Auditing | 76 | 16.17 % |
-| Microsoft-Windows-PowerShell | 46 | 9.79 % |
-| Kernel-Process | 37 | 7.87 % |
-| Service Control Manager | 11 | 2.34 % |
-| Microsoft-Windows-Windows Defender | 9 | 1.91 % |
-| Microsoft-Windows-Kernel-File | 5 | 1.06 % |
-| Microsoft-Windows-DHCP-Server | 2 | 0.43 % |
-| Microsoft-Windows-DNS-Server-Service | 1 | 0.21 % |
-| Microsoft-Windows-Backup | 1 | 0.21 % |
-| Microsoft-Windows-Kernel-Process | 1 | 0.21 % |
+| Microsoft-Windows-Sysmon | 291 | 62.31 % |
+| Microsoft-Windows-Security-Auditing | 76 | 16.27 % |
+| Microsoft-Windows-PowerShell | 46 | 9.85 % |
+| Kernel-Process | 37 | 7.92 % |
+| Service Control Manager | 11 | 2.36 % |
+| Microsoft-Windows-Windows Defender | 9 | 1.93 % |
+| Microsoft-Windows-Kernel-File | 5 | 1.07 % |
+| Microsoft-Windows-Kernel-General | 1 | 0.21 % |
| Microsoft-Windows-Audit-CVE | 1 | 0.21 % |
-| Microsoft-Windows-Kernel-Network | 1 | 0.21 % |
| Microsoft-REDACTED-Security-Auditing | 1 | 0.21 % |
-| ESENT | 1 | 0.21 % |
-| Application Error | 1 | 0.21 % |
+| Microsoft-Windows-Kernel-Network | 1 | 0.21 % |
+| Microsoft-Windows-DHCP-Server | 1 | 0.21 % |
+| Microsoft-Windows-DNS-Client | 1 | 0.21 % |
| Microsoft-Windows-Eventlog | 1 | 0.21 % |
-| Microsoft-Windows-Kernel-General | 1 | 0.21 % |
+| ESENT | 1 | 0.21 % |
+| Microsoft-Windows-Kernel-Process | 1 | 0.21 % |
+| Microsoft-Windows-Backup | 1 | 0.21 % |
+| Microsoft-Windows-DNS-Server-Service | 1 | 0.21 % |
| Microsoft-Windows-NTLM | 1 | 0.21 % |
-| Microsoft-Windows-DNS-Client | 1 | 0.21 % |
+| Application Error | 1 | 0.21 % |
## EffortLevel x EventIDs
-| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 470 |
+| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 467 |
| ------------ | -------- | ----------------------- | ------------------------------------------------------- |
-| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 22, 25, 27, 3, 40, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4720, 4726, 4728, 4729, 4732, 4743, 5007, 5140, 5145, 64, 7, 79016668, 8001, 83820799, 98 | 92 | 19.57 % |
-| advanced | 1, 10, 11, 1116, 1127, 13, 15, 17, 21, 22, 23, 3, 4103, 4104, 4624, 4625, 4656, 4662, 4688, 4706, 4707, 5, 5136, 5145, 5154, 5156, 6416, 7, 7045, 8 | 119 | 25.32 % |
-| intermediate | 1, 10, 1000, 1033, 1034, 11, 1102, 1116, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4662, 4663, 4688, 4697, 4698, 47, 4720, 4738, 4741, 4768, 4794, 4799, 4825, 5, 5136, 5145, 524, 6, 7, 7045 | 171 | 36.38 % |
-| elementary | 1, 10, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4625, 4663, 4688, 4697, 4704, 4720, 4738, 5, 5136, 7, 7045, 8 | 88 | 18.72 % |
\ No newline at end of file
+| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 22, 25, 27, 3, 40, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4720, 4726, 4728, 4729, 4732, 4743, 5007, 5140, 5145, 64, 7, 79016668, 8001, 83820799, 98 | 91 | 19.49 % |
+| advanced | 1, 10, 11, 1116, 1127, 13, 15, 17, 21, 22, 23, 3, 4103, 4104, 4624, 4625, 4656, 4662, 4688, 4706, 4707, 5, 5136, 5145, 5154, 5156, 6416, 7, 7045, 8 | 119 | 25.48 % |
+| intermediate | 1, 10, 1000, 1033, 1034, 11, 1102, 1116, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4662, 4663, 4688, 4697, 4698, 47, 4720, 4738, 4741, 4768, 4794, 4799, 4825, 5, 5136, 5145, 524, 6, 7, 7045 | 170 | 36.4 % |
+| elementary | 1, 10, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4625, 4663, 4688, 4697, 4704, 4720, 4738, 5, 5136, 7, 7045, 8 | 87 | 18.63 % |
\ No newline at end of file